From aa02019638ea957d4e38969fef7e14c2c36e483c Mon Sep 17 00:00:00 2001 From: Mathieu Deous Date: Sat, 14 Dec 2013 16:33:17 +0100 Subject: [PATCH] return file content in a json message when calling download endpoint --- lib/utils/api.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/utils/api.py b/lib/utils/api.py index 453181b6a..472b026ec 100644 --- a/lib/utils/api.py +++ b/lib/utils/api.py @@ -598,18 +598,20 @@ def download(taskid, target, filename): Download a certain file from the file system """ if taskid not in tasks: - abort(500, "Invalid task ID") + return jsonize({"success": False, "message": "Invalid task ID"}) # Prevent file path traversal - the lame way - if target.startswith("."): - abort(500) + if ".." in target: + return jsonize({"success": False, "message": "Forbidden path"}) path = os.path.join(paths.SQLMAP_OUTPUT_PATH, target) if os.path.exists(path): - return static_file(filename, root=path) + with open(path, 'rb') as inf: + file_content = inf.read() + return jsonize({"success": True, "file": file_content.encode("base64")}) else: - abort(500, "File does not exist") + return jsonize({"success": False, "message": "File does not exist"}) def server(host="0.0.0.0", port=RESTAPI_SERVER_PORT):