Comments (8)
Hmm no directory listing here but I can cause an unrelated error, which is worrying! Do you know if there is a fix upstream?
from django-filebrowser-no-grappelli.
Sorry, i can`t fix.
But i can show how fix.
Use this function! Then return absolute path if no Access error.
def _fix_listing(root, *path):
path = os.path.join(root, *path)
abspath = os.path.abspath(os.path.normpath(path))
if not abspath.startswith(root):
raise ValueError('Access Denited')
return abspath
>>> _fix_listing("C:\\", "../../", "home")
'C:\\home'
>>> _fix_listing("C:\\dir", "../../", "home")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "<stdin>", line 5, in _fix_listing
ValueError: Access Denited
>>> _fix_listing("C:\\dir", "somedir/dir/../../", "home")
'C:\\dir\\home'
>>> _fix_listing("C:\\dir", "somedir/dir/../../home/")
'C:\\dir\\home'
>>> _fix_listing("C:\\dir", "somedir/dir/../../home")
'C:\\dir\\home'
from django-filebrowser-no-grappelli.
I just pushed a fix like yours. Would you care to help me find other places that have the same problem? (uploads, directory creation, file version/thumbnail creation)
I tried to check the upstream code to see if the issue was fixed there, but the code has changed dramatically so it's not obvious to me.
from django-filebrowser-no-grappelli.
I am add some validations.
ROOT_DIR = os.path.abspath(os.path.join(fb_settings.MEDIA_ROOT, fb_settings.DIRECTORY))
# chroot directory for all file namitulation, and We must not allow to get access out of ROOT_DIR dirs.
I am add two function.
_check_access - Function for check access to path, and if access allow then return absolute path to file, else then raise exception (similar as we raise exception if path is None).
_check_name - this function for check correct naming dirs or files. Checking similar check in form (but in form check we can see problem with names as '../../name').
Maybe I misunderstood the logic of FOLDER_REGEX better not ispolzvat it.
This fix is needed for people who use django admin app for all users (no stuff). I have seen many such examples of the use django admin app.
I will try to reconsider the logic of correction, maybe I'm mistaken, during the week I will look again (sorry I did it in haste.)
And similar fix needed for admin app with grappelli.
I apologize for my English.
from django-filebrowser-no-grappelli.
If you really want to improve this app, you have to take any steps to resolve the issue.
Because the vulnerability can at least look at the code project.
And as the maximum gain full access to the operation system.
I think you understand the danger of this problem.
from django-filebrowser-no-grappelli.
Yes, this is a serious issue. I'll look at your other changes when I have a few minutes.
from django-filebrowser-no-grappelli.
Your changes look pretty good. Creating a module-level ROOT_DIR does interfere with some dynamic sites monkeypatching I'm doing, so I'll make a small change there and do some testing.
from django-filebrowser-no-grappelli.
I am find real security error, when any user can upload any file in any dirs in os with the rights of web applications.
Strange, veary strange.
from django-filebrowser-no-grappelli.
Related Issues (20)
- global name 'dir_name' is not defined HOT 3
- CollapsedFieldsets.js is missing. HOT 7
- The requested File does not exist. HOT 1
- setup.py misses installing templates dir HOT 1
- messages_set problem HOT 1
- Upgrade to filebrowser 3.4.1 HOT 1
- Admin image path broken for Django<=1.3 HOT 1
- Issue with files without creation date HOT 1
- 'User' object has no attribute 'message_set' HOT 1
- Useless directories HOT 1
- Multiple thumbnails
- Don't work in Django 1.5. HOT 2
- FileBrowserField does not work for inline fields in admin
- Delete checkboxes
- Filebrowser repo seems stoped HOT 3
- Can not select file HOT 7
- There's another no-grappelli fork that looks more up to date
- upload method HOT 4
- Inlines problem HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-filebrowser-no-grappelli.