vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

fix(response): harden download_backup

Browse source 
Made use of util `check_path_safety` to ensure sandboxing.
This commit is contained in:
AarDG10 2026-04-20 18:57:46 +05:30
parent 7c9ce26469
commit 0c660477ee
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
frappe/utils/response.py
View file

@ -26,6 +26,7 @@ import frappe.sessions
import frappe.utils
from frappe import _
from frappe.core.doctype.access_log.access_log import make_access_log
from frappe.core.doctype.file.utils import check_path_safety
from frappe.utils import format_timedelta, orjson_dumps
if TYPE_CHECKING:
@ -280,6 +281,13 @@ def download_backup(path):
_("You need to be logged in and have System Manager Role to be able to access backups.")
)
filename = path.split("/backups/", 1)[1]
backup_path = frappe.get_site_path("private", "backups")
requested_path = frappe.get_site_path("private", "backups", filename)
is_safe = check_path_safety(base_path=backup_path, requested_path=requested_path)
if not is_safe:
frappe.throw(_("Invalid backup path"), frappe.PermissionError)
return send_private_file(path)