Skip to content

Commit

Permalink
Added a protection that the directory to be removed looks like a shar…
Browse files Browse the repository at this point in the history 
…euid
  • Loading branch information
@jorvis
jorvis committed Oct 2, 2024
1 parent 5e7d0bb commit b6e3439
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions www/cgi/delete_upload_in_progress.cgi
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import cgi
import json
import os, sys
import shutil
import re

lib_path = os.path.abspath(os.path.join('..', '..', 'lib'))
sys.path.append(lib_path)
Expand Down Expand Up @@ -37,6 +38,12 @@ def main():

user_upload_file_path = os.path.join(user_upload_file_base, session_id, share_uid)

# Make sure the final directory looks like a share_uid (8 alphanumeric characters)
if not re.match(r'^[a-zA-Z0-9]{8}$', share_uid):
result['message'] = 'Invalid share_uid: ' + share_uid
print(json.dumps(result))
return

if not os.path.exists(user_upload_file_path):
result['message'] = 'Upload directory not found: ' + user_upload_file_path
print(json.dumps(result))
Expand Down

0 comments on commit b6e3439

Please sign in to comment.