Commit a2ece3b0 authored by Alexander's avatar Alexander

[stickers] To ease my mind, check for another path escape on download

parent fea91a10
Pipeline #6951 passed with stage
in 1 minute and 46 seconds
......@@ -463,6 +463,7 @@ class StickersPlugin(GajimPlugin):
path = os.path.join(sticker_data_path(), event.id_)
if detect_path_escape(sticker_data_path(), path):
log.error('Possible path escape detected! %s', path)
log.error('Not removing path.')
return
shutil.rmtree(path)
......@@ -472,7 +473,7 @@ class StickersPlugin(GajimPlugin):
def _on_sticker_pack_received(self, event):
if event.pack.id_ not in self.sticker_requests:
log.warning('Unknown sticker pack received!' )
log.warning('Unknown sticker pack received!')
log.warning('Got %s, but the requested list is %s', event.pack.id_, self.sticker_requests)
return
......@@ -515,8 +516,14 @@ class StickersPlugin(GajimPlugin):
self.sticker_packs[event.pack.id_] = event.pack
# Create the sticker pack directory
# First, some checks
pack_path = os.path.join(sticker_data_path(), event.pack.id_)
if detect_path_escape(sticker_data_path(), event.pack.id_):
log.error('Path escape detected: Attempted path "%s"', pack_path)
log.error('Not proceeding to download!')
return
# Create the sticker pack directory
if not os.path.exists(pack_path):
os.mkdir(pack_path)
else:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment