Skip to content

Commit

Permalink
replace send_file to send_from_directory
Browse files Browse the repository at this point in the history
fix path traversal vulnerability
  • Loading branch information
Stefal committed Dec 17, 2024
1 parent c303ffc commit c4cb52a
Showing 1 changed file with 5 additions and 4 deletions.
9 changes: 5 additions & 4 deletions web_app/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@

from flask_bootstrap import Bootstrap4
from flask import Flask, render_template, session, request, flash, url_for
from flask import send_file, send_from_directory, redirect, abort
from flask import send_from_directory, redirect, abort
from flask import g
from flask_wtf import FlaskForm
from wtforms import PasswordField, BooleanField, SubmitField
Expand Down Expand Up @@ -465,8 +465,7 @@ def logs_page():
def downloadLog(log_name):
""" Route for downloading raw gnss data"""
try:
full_log_path = rtk.logm.log_path + "/" + log_name
return send_file(full_log_path, as_attachment = True)
return send_from_directory(rtk.logm.log_path, log_name, as_attachment = True)
except FileNotFoundError:
abort(404)

Expand Down Expand Up @@ -670,7 +669,9 @@ def reset_settings():
@login_required
def backup_settings():
settings_file_name = str("RTKBase_{}_{}_{}.conf".format(rtkbaseconfig.get("general", "version"), rtkbaseconfig.get("ntrip_A", "mnt_name_a").strip("'"), time.strftime("%Y-%m-%d_%HH%M")))
return send_file(os.path.join(rtkbase_path, "settings.conf"), as_attachment=True, download_name=settings_file_name)
#return send_file(os.path.join(rtkbase_path, "settings.conf"), as_attachment=True, download_name=settings_file_name)
return send_from_directory(rtkbase_path, "settings.conf", as_attachment=True, download_name=settings_file_name)


@socketio.on("restore settings", namespace="/test")
def restore_settings_file(json_msg):
Expand Down

0 comments on commit c4cb52a

Please sign in to comment.