only serve help files from subdirectories (#34088)
This commit is contained in:
parent
4c02888734
commit
6dca93db79
|
@ -11,7 +11,7 @@ import django.contrib.auth as auth
|
|||
from django.shortcuts import render, redirect, get_object_or_404
|
||||
from django.conf import settings
|
||||
from django.core.urlresolvers import reverse
|
||||
from django.http import HttpResponse, HttpResponseRedirect, Http404
|
||||
from django.http import HttpResponse, HttpResponseForbidden, HttpResponseRedirect, Http404
|
||||
from django.db.models.query import Q
|
||||
from django.contrib.auth.models import User
|
||||
from django.contrib import messages
|
||||
|
@ -339,6 +339,8 @@ def help(request, pagename='index.html'):
|
|||
'content': get_help_content(pagename) })
|
||||
else:
|
||||
filepath = os.path.join(settings.HELP_DIR, pagename)
|
||||
if not os.path.abspath(filepath).startswith(settings.HELP_DIR):
|
||||
return HttpResponseForbidden()
|
||||
response = HttpResponse(content=file(filepath))
|
||||
response['Content-Type'] = 'image/png'
|
||||
return response
|
||||
|
|
Loading…
Reference in New Issue