sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-25 11:03:47 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fixes file path traversal issue on win platform.

Browse Source 
POC: GET /download/b31146dcdb92e5db/C:\windows\win.ini/a
This commit is contained in:
Aikes 2016-02-27 00:10:32 +08:00
parent d69ef5ec49
commit b4bb4c393b
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/utils/api.py
View File

@ -622,14 +622,13 @@ def download(taskid, target, filename):
logger.warning("[%s] Invalid task ID provided to download()" % taskid) logger.warning("[%s] Invalid task ID provided to download()" % taskid)
return jsonize({"success": False, "message": "Invalid task ID"}) return jsonize({"success": False, "message": "Invalid task ID"})
# Prevent file path traversal - the lame way path = os.path.abspath(os.path.join(paths.SQLMAP_OUTPUT_PATH, target, filename))
if ".." in target: # Prevent file path traversal
if not path.startswith(paths.SQLMAP_OUTPUT_PATH):
logger.warning("[%s] Forbidden path (%s)" % (taskid, target)) logger.warning("[%s] Forbidden path (%s)" % (taskid, target))
return jsonize({"success": False, "message": "Forbidden path"}) return jsonize({"success": False, "message": "Forbidden path"})
path = os.path.join(paths.SQLMAP_OUTPUT_PATH, target) if os.path.isfile(path):
if os.path.exists(path):
logger.debug("[%s] Retrieved content of file %s" % (taskid, target)) logger.debug("[%s] Retrieved content of file %s" % (taskid, target))
with open(path, 'rb') as inf: with open(path, 'rb') as inf:
file_content = inf.read() file_content = inf.read()