assets: double check for null bytes in filename (#86356)
gitea/combo/pipeline/head This commit looks good
Details
gitea/combo/pipeline/head This commit looks good
Details
This commit is contained in:
parent
e06ea594d6
commit
5fb21cd6ec
|
@ -196,6 +196,9 @@ class AssetOverwrite(FormView):
|
|||
os.stat(default_storage.path(img_orig))
|
||||
except ValueError:
|
||||
raise PermissionDenied()
|
||||
if '\x00' in img_orig:
|
||||
# os.stat should have raised "embedded null byte" but double check
|
||||
raise PermissionDenied()
|
||||
|
||||
upload = self.request.FILES['upload']
|
||||
|
||||
|
@ -249,6 +252,9 @@ class AssetDelete(TemplateView):
|
|||
os.stat(default_storage.path(img_orig))
|
||||
except ValueError:
|
||||
raise PermissionDenied()
|
||||
if '\x00' in img_orig:
|
||||
# os.stat should have raised "embedded null byte" but double check
|
||||
raise PermissionDenied()
|
||||
|
||||
default_storage.delete(img_orig)
|
||||
return redirect(Assets(request=self.request).get_anchored_url(name=os.path.basename(img_orig)))
|
||||
|
|
Loading…
Reference in New Issue