From e37b713c06c1e6baf7bc0edf6ee64fb04b149b87 Mon Sep 17 00:00:00 2001 From: Chris Warrick Date: Tue, 30 Jan 2024 20:25:58 +0100 Subject: [PATCH] =?UTF-8?q?Fix=20#3755=20=E2=80=94=20fix=20directory=20tra?= =?UTF-8?q?versal=20vulnerability=20in=20`nikola=20auto`=20(#3756)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix #3755 — fix directory traversal vulnerability in auto --- nikola/plugins/command/auto/__init__.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/nikola/plugins/command/auto/__init__.py b/nikola/plugins/command/auto/__init__.py index 9668b784fc..f6defb62c1 100644 --- a/nikola/plugins/command/auto/__init__.py +++ b/nikola/plugins/command/auto/__init__.py @@ -37,6 +37,7 @@ import typing import urllib.parse import webbrowser +from pathlib import Path import blinker import pkg_resources @@ -521,8 +522,13 @@ async def _handle(self, request: 'web.Request') -> 'web.Response': async def handle_file(self, request: 'web.Request', filename: str, from_index=None) -> 'web.Response': """Handle file requests.""" try: - filepath = self._directory.joinpath(filename).resolve() - if not self._follow_symlinks: + unresolved_path = self._directory.joinpath(filename) + if self._follow_symlinks: + normalized_path = Path(os.path.normpath(unresolved_path)) + normalized_path.relative_to(self._directory) + filepath = normalized_path.resolve() + else: + filepath = unresolved_path.resolve() filepath.relative_to(self._directory) except (ValueError, FileNotFoundError) as error: # relatively safe