Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

export: Harden s3 export against directory traversal. 

This commit modifies 'zerver/lib/export.py' to raise an exception
in the presence of a suspected attempt at directory traversal.
This commit is contained in:
Graham Bleaney 2020-02-28 18:08:39 -05:00 committed by Tim Abbott
parent 3e602a9bd4
commit 5dca599481
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
zerver/lib/export.py
View File

@ -1235,6 +1235,9 @@ def _save_s3_object_to_file(key: Key, output_dir: str, processing_avatars: bool,
raise AssertionError("Suspicious key with invalid format %s" % (key.name,))
filename = os.path.join(output_dir, key.name)
if "../" in filename:
raise AssertionError("Suspicious file with invalid format %s" % (filename,))
dirname = os.path.dirname(filename)
if not os.path.exists(dirname):
os.makedirs(dirname)