From b4bb4c393b26072b9a47f787be134888b983af60 Mon Sep 17 00:00:00 2001
From: Aikes <steel.aikes@gmail.com>
Date: Sat, 27 Feb 2016 00:10:32 +0800
Subject: [PATCH] Fixes file path traversal issue on win platform.

POC: GET /download/b31146dcdb92e5db/C:\windows\win.ini/a
---
 lib/utils/api.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/lib/utils/api.py b/lib/utils/api.py
index 799d0379a..69a3efdf6 100644
--- a/lib/utils/api.py
+++ b/lib/utils/api.py
@@ -622,14 +622,13 @@ def download(taskid, target, filename):
         logger.warning("[%s] Invalid task ID provided to download()" % taskid)
         return jsonize({"success": False, "message": "Invalid task ID"})
 
-    # Prevent file path traversal - the lame way
-    if ".." in target:
+    path = os.path.abspath(os.path.join(paths.SQLMAP_OUTPUT_PATH, target, filename))
+    # Prevent file path traversal
+    if not path.startswith(paths.SQLMAP_OUTPUT_PATH):
         logger.warning("[%s] Forbidden path (%s)" % (taskid, target))
         return jsonize({"success": False, "message": "Forbidden path"})
 
-    path = os.path.join(paths.SQLMAP_OUTPUT_PATH, target)
-
-    if os.path.exists(path):
+    if os.path.isfile(path):
         logger.debug("[%s] Retrieved content of file %s" % (taskid, target))
         with open(path, 'rb') as inf:
             file_content = inf.read()