vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

fix(static_page): ensure that requested files are within app/www

Browse source 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
This commit is contained in:
Akhil Narang 2025-10-14 16:54:57 +05:30
parent 395af8aa04
commit a5ed4cf3e7
No known key found for this signature in database
GPG key ID: 9DCC61E211BF645F
1 changed files with 10 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
frappe/website/page_renderers/static_page.py
View file

@ -1,5 +1,6 @@
import mimetypes
import os
from pathlib import Path
from werkzeug.wrappers import Response
from werkzeug.wsgi import wrap_file
@ -34,9 +35,15 @@ class StaticPage(BaseRenderer):
if not self.is_valid_file_path():
return
for app in frappe.get_installed_apps():
file_path = frappe.get_app_path(app, "www") + "/" + self.path
if os.path.isfile(file_path) and is_binary_file(file_path):
self.file_path = file_path
app_path = Path(frappe.get_app_path(app, "www"))
requested_path = (app_path / self.path).resolve()
if (
requested_path.is_relative_to(app_path)
and requested_path.is_file()
and is_binary_file(requested_path)
):
self.file_path = requested_path
break
def can_render(self):
return self.is_valid_file_path() and self.file_path