diff --git a/src/Site/SiteStorage.py b/src/Site/SiteStorage.py index 4948fadc..f9e0ef25 100644 --- a/src/Site/SiteStorage.py +++ b/src/Site/SiteStorage.py @@ -382,7 +382,7 @@ class SiteStorage(object): if not inner_path: return self.directory - if ".." in inner_path: + if "../" in inner_path: raise Exception("File not allowed: %s" % inner_path) return "%s/%s" % (self.directory, inner_path) diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py index e74fb792..b059dd93 100644 --- a/src/Ui/UiRequest.py +++ b/src/Ui/UiRequest.py @@ -524,7 +524,7 @@ class UiRequest(object): if path.endswith("/"): path = path + "index.html" - if ".." in path or "./" in path: + if "../" in path or "./" in path: raise SecurityError("Invalid path") match = re.match(r"/media/(?P
[A-Za-z0-9]+[A-Za-z0-9\._-]+)(?P