From 55c527bfdbd269afa73eac802fe89719b96de0c3 Mon Sep 17 00:00:00 2001 From: Andrew Date: Tue, 6 Dec 2022 15:09:11 -0500 Subject: [PATCH 1/3] Be sure a user cannot server import crafty dir --- app/classes/web/server_handler.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/app/classes/web/server_handler.py b/app/classes/web/server_handler.py index 08162365..e7fbefad 100644 --- a/app/classes/web/server_handler.py +++ b/app/classes/web/server_handler.py @@ -5,6 +5,7 @@ import time import tornado.web import tornado.escape import bleach +from pathlib import Path from app.classes.models.crafty_permissions import EnumPermissionsCrafty from app.classes.shared.helpers import Helpers @@ -319,6 +320,13 @@ class ServerHandler(BaseHandler): return import_type = bleach.clean(self.get_argument("create_type", "")) import_server_path = bleach.clean(self.get_argument("server_path", "")) + if Path(self.controller.project_root).is_relative_to(import_server_path): + self.redirect( + "/panel/error?error=Loop Error: The selected path will cause" + " an infinite copy loop. Make sure Crafty's directory is not" + " in your server path." + ) + return import_server_jar = bleach.clean(self.get_argument("server_jar", "")) server_parts = server.split("|") captured_roles = [] @@ -468,6 +476,13 @@ class ServerHandler(BaseHandler): return import_type = bleach.clean(self.get_argument("create_type", "")) import_server_path = bleach.clean(self.get_argument("server_path", "")) + if Path(self.controller.project_root).is_relative_to(import_server_path): + self.redirect( + "/panel/error?error=Loop Error: The selected path will cause" + " an infinite copy loop. Make sure Crafty's directory is not" + " in your server path." + ) + return import_server_exe = bleach.clean(self.get_argument("server_jar", "")) server_parts = server.split("|") captured_roles = [] From 98da08bde6f4eff9274faa35b5b9998b1e24abec Mon Sep 17 00:00:00 2001 From: Andrew Date: Tue, 6 Dec 2022 15:11:36 -0500 Subject: [PATCH 2/3] Appease the linter --- app/classes/web/server_handler.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/classes/web/server_handler.py b/app/classes/web/server_handler.py index e7fbefad..f17c7753 100644 --- a/app/classes/web/server_handler.py +++ b/app/classes/web/server_handler.py @@ -2,10 +2,10 @@ import json import logging import os import time +from pathlib import Path import tornado.web import tornado.escape import bleach -from pathlib import Path from app.classes.models.crafty_permissions import EnumPermissionsCrafty from app.classes.shared.helpers import Helpers From 1e9bb97bdc50d225bfc26e484f99e4caa0c70696 Mon Sep 17 00:00:00 2001 From: Zedifus Date: Wed, 7 Dec 2022 14:33:47 +0000 Subject: [PATCH 3/3] Update changelog !506 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dae036f7..43b4471f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ TBD - Fix '+' char in path causing any file operation to fail. ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/502)) - Fix colours on public pages. ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/504)) - Fix bug where public background was not sent to public pages...like the error page resulting in an error...ironic...I know. ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/505)) +- Be sure a user cannot server import crafty dir. ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/506)) ### Tweaks TBD ### Lang