From 7b7e984bff26f4d91bfec3dfdacedcd94c35d0cf Mon Sep 17 00:00:00 2001 From: morpheus65535 Date: Mon, 1 Jul 2024 08:02:08 -0400 Subject: [PATCH] Fixed file traversal via path filename vulnerability in swaggerui static route. #2559 --- bazarr/app/ui.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bazarr/app/ui.py b/bazarr/app/ui.py index df43f7b0c..81a949035 100644 --- a/bazarr/app/ui.py +++ b/bazarr/app/ui.py @@ -153,8 +153,8 @@ def backup_download(filename): def swaggerui_static(filename): basepath = os.path.join(os.path.dirname(os.path.dirname(os.path.dirname(__file__))), 'libs', 'flask_restx', 'static') - fullpath = os.path.join(basepath, filename) - if not fullpath.startswith(basepath): + fullpath = os.path.realpath(os.path.join(basepath, filename)) + if not basepath == os.path.commonpath((basepath, fullpath)): return '', 404 else: return send_file(fullpath)