vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

fix(middleware): check path before returning file (#34651)

Browse source 
Reference: support ticket 52956
This commit is contained in:
Akhil Narang 2025-11-10 16:02:36 +05:30 committed by GitHub
parent 90e76220e3
commit 35b459eaab
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 7 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
frappe/middlewares.py
View file

@ -1,7 +1,7 @@
# Copyright (c) 2015, Frappe Technologies Pvt. Ltd. and Contributors
# License: MIT. See LICENSE
import os
from pathlib import Path
from werkzeug.exceptions import NotFound
from werkzeug.middleware.shared_data import SharedDataMiddleware
@ -18,11 +18,12 @@ class StaticDataMiddleware(SharedDataMiddleware):
def get_directory_loader(self, directory):
def loader(path):
site = get_site_name(frappe.app._site or self.environ.get("HTTP_HOST"))
path = os.path.join(directory, site, "public", "files", cstr(path))
if os.path.isfile(path):
return os.path.basename(path), self._opener(path)
else:
files_path = Path(directory) / site / "public" / "files"
requested_path = Path(cstr(path))
path = (files_path / requested_path).resolve()
if not path.is_relative_to(files_path) or not path.is_file():
raise NotFound
# return None, None
return path.name, self._opener(path)
return loader