3diy
/
moonraker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

file_manager: fix internal access check 

Include the reserved file check in the `can_access_path()` method.  This
fixes a potential vulnerability in the notifier where it may be possible
to attach a reserved file to a notification.

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
This commit is contained in:
Eric Callahan 2023-01-08 07:17:43 -05:00
parent fe9a9899e3
commit a4b496d135
No known key found for this signature in database
GPG Key ID: 5A1EB336DFB4C71B
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
moonraker/components/file_manager/file_manager.py
View File

@ -334,7 +334,7 @@ class FileManager:
for registered in self.file_paths.values(): for registered in self.file_paths.values():
reg_root_path = pathlib.Path(registered).resolve() reg_root_path = pathlib.Path(registered).resolve()
if reg_root_path in path.parents: if reg_root_path in path.parents:
return True return not self.check_reserved_path(path, False, False)
return False return False
def upload_queue_enabled(self) -> bool: def upload_queue_enabled(self) -> bool: