Fixed file traversal via path filename vulnerability in swaggerui sta…

…tic route. #2559
morpheus65535 · Jul 1, 2024 · 7b7e984 · 7b7e984
1 parent ad88ec3
commit 7b7e984
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/bazarr/app/ui.py b/bazarr/app/ui.py
@@ -153,8 +153,8 @@ def backup_download(filename):
 def swaggerui_static(filename):
     basepath = os.path.join(os.path.dirname(os.path.dirname(os.path.dirname(__file__))), 'libs', 'flask_restx',
                             'static')
-    fullpath = os.path.join(basepath, filename)
-    if not fullpath.startswith(basepath):
+    fullpath = os.path.realpath(os.path.join(basepath, filename))
+    if not basepath == os.path.commonpath((basepath, fullpath)):
         return '', 404
     else:
         return send_file(fullpath)