huanld/pygeoapi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Flask: sanitize OGC schema pathing (#1593)

Browse Source
This commit is contained in:
Tom Kralidis
2024-03-12 09:16:34 -04:00
committed by GitHub
parent d8a1b741ed
commit ff4c4f6d46
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pygeoapi/flask_app.py
+5 -2
View File
@@ -101,8 +101,11 @@ if (OGC_SCHEMAS_LOCATION is not None and
dirname_ = os.path.dirname(full_filepath)
basename_ = os.path.basename(full_filepath)
# TODO: better sanitization?
path_ = dirname_.replace('..', '').replace('//', '')
path_ = dirname_.replace('..', '').replace('//', '').replace('./', '')
if '..' in path_:
return 'Invalid path', 400
return send_from_directory(path_, basename_,
mimetype=get_mimetype(basename_))