only serve help files from subdirectories (#34088)

2019-06-18 07:17:42 +02:00 · 2019-06-18 07:17:42 +02:00 · 6dca93db79
parent 4c02888734
commit 6dca93db79
1 changed files with 3 additions and 1 deletions
--- a/docbow_project/docbow/views.py
+++ b/docbow_project/docbow/views.py
@ -11,7 +11,7 @@ import django.contrib.auth as auth
 from django.shortcuts import render, redirect, get_object_or_404
 from django.conf import settings
 from django.core.urlresolvers import reverse
-from django.http import HttpResponse, HttpResponseRedirect, Http404
+from django.http import HttpResponse, HttpResponseForbidden, HttpResponseRedirect, Http404
 from django.db.models.query import Q
 from django.contrib.auth.models import User
 from django.contrib import messages
@ -339,6 +339,8 @@ def help(request, pagename='index.html'):
                    'content': get_help_content(pagename) })
    else:
        filepath = os.path.join(settings.HELP_DIR, pagename)
+        if not os.path.abspath(filepath).startswith(settings.HELP_DIR):
+            return HttpResponseForbidden()
        response = HttpResponse(content=file(filepath))
        response['Content-Type'] = 'image/png'
        return response