sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-09 08:00:36 +03:00
Code Issues Packages Projects Releases Wiki Activity

return file content in a json message when calling download endpoint

Browse Source
This commit is contained in:
Mathieu Deous 2013-12-14 16:33:17 +01:00
parent c87ad1bab5
commit aa02019638
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/utils/api.py
View File

@ -598,18 +598,20 @@ def download(taskid, target, filename):
Download a certain file from the file system Download a certain file from the file system
""" """
if taskid not in tasks: if taskid not in tasks:
abort(500, "Invalid task ID") return jsonize({"success": False, "message": "Invalid task ID"})
# Prevent file path traversal - the lame way # Prevent file path traversal - the lame way
if target.startswith("."): if ".." in target:
abort(500) return jsonize({"success": False, "message": "Forbidden path"})
path = os.path.join(paths.SQLMAP_OUTPUT_PATH, target) path = os.path.join(paths.SQLMAP_OUTPUT_PATH, target)
if os.path.exists(path): if os.path.exists(path):
return static_file(filename, root=path) with open(path, 'rb') as inf:
file_content = inf.read()
return jsonize({"success": True, "file": file_content.encode("base64")})
else: else:
abort(500, "File does not exist") return jsonize({"success": False, "message": "File does not exist"})
def server(host="0.0.0.0", port=RESTAPI_SERVER_PORT): def server(host="0.0.0.0", port=RESTAPI_SERVER_PORT):