Commit a2ece3b0 authored by Alexander's avatar Alexander

[stickers] To ease my mind, check for another path escape on download

parent fea91a10
Pipeline #6951 passed with stage
in 1 minute and 46 seconds
...@@ -463,6 +463,7 @@ class StickersPlugin(GajimPlugin): ...@@ -463,6 +463,7 @@ class StickersPlugin(GajimPlugin):
path = os.path.join(sticker_data_path(), event.id_) path = os.path.join(sticker_data_path(), event.id_)
if detect_path_escape(sticker_data_path(), path): if detect_path_escape(sticker_data_path(), path):
log.error('Possible path escape detected! %s', path) log.error('Possible path escape detected! %s', path)
log.error('Not removing path.')
return return
shutil.rmtree(path) shutil.rmtree(path)
...@@ -472,7 +473,7 @@ class StickersPlugin(GajimPlugin): ...@@ -472,7 +473,7 @@ class StickersPlugin(GajimPlugin):
def _on_sticker_pack_received(self, event): def _on_sticker_pack_received(self, event):
if event.pack.id_ not in self.sticker_requests: if event.pack.id_ not in self.sticker_requests:
log.warning('Unknown sticker pack received!' ) log.warning('Unknown sticker pack received!')
log.warning('Got %s, but the requested list is %s', event.pack.id_, self.sticker_requests) log.warning('Got %s, but the requested list is %s', event.pack.id_, self.sticker_requests)
return return
...@@ -515,8 +516,14 @@ class StickersPlugin(GajimPlugin): ...@@ -515,8 +516,14 @@ class StickersPlugin(GajimPlugin):
self.sticker_packs[event.pack.id_] = event.pack self.sticker_packs[event.pack.id_] = event.pack
# Create the sticker pack directory # First, some checks
pack_path = os.path.join(sticker_data_path(), event.pack.id_) pack_path = os.path.join(sticker_data_path(), event.pack.id_)
if detect_path_escape(sticker_data_path(), event.pack.id_):
log.error('Path escape detected: Attempted path "%s"', pack_path)
log.error('Not proceeding to download!')
return
# Create the sticker pack directory
if not os.path.exists(pack_path): if not os.path.exists(pack_path):
os.mkdir(pack_path) os.mkdir(pack_path)
else: else:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment