luckyimnotanigger/LibreTranslate
1
0
Fork 0
mirror of https://github.com/LibreTranslate/LibreTranslate.git synced 2025-06-21 08:30:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Path traversal check

Browse source
This commit is contained in:
Piero Toffanin 2021-10-26 15:41:14 -04:00
parent d12c81b773
commit a1244b9e3e
3 changed files with 24 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

13
app/app.py
View file

@ -12,7 +12,7 @@ from flask_swagger_ui import get_swaggerui_blueprint
from translatehtml import translate_html
from werkzeug.utils import secure_filename
from app import flood, remove_translated_files
from app import flood, remove_translated_files, security
from app.language import detect_languages, transliterate
from .api_keys import Database
from .suggestions import Database as SuggestionsDatabase
@ -621,10 +621,15 @@ def create_app(args):
Download a translated file
"""
if args.disable_files_translation:
abort(403, description="Files translation are disabled on this server.")
abort(400, description="Files translation are disabled on this server.")
filepath = os.path.join(get_upload_dir(), filename)
try:
checked_filepath = security.path_traversal_check(filepath, get_upload_dir())
if os.path.isfile(checked_filepath):
filepath = checked_filepath
except security.SuspiciousFileOperation:
abort(400, description="Invalid filename")
return_data = io.BytesIO()
with open(filepath, 'rb') as fo: