diff --git a/app/classes/shared/helpers.py b/app/classes/shared/helpers.py index c4d9ad10..350a99e2 100644 --- a/app/classes/shared/helpers.py +++ b/app/classes/shared/helpers.py @@ -376,6 +376,18 @@ class Helpers: return default_return + @staticmethod + def is_subdir(server_path, root_dir): + server_path = os.path.realpath(server_path) + root_dir = os.path.realpath(root_dir) + + relative = os.path.relpath(server_path, root_dir) + + if relative.startswith(os.pardir): + return False + else: + return True + def set_setting(self, key, new_value): try: with open(self.settings_file, "r", encoding="utf-8") as f: diff --git a/app/classes/web/server_handler.py b/app/classes/web/server_handler.py index 04644689..e6ecc719 100644 --- a/app/classes/web/server_handler.py +++ b/app/classes/web/server_handler.py @@ -2,7 +2,6 @@ import json import logging import os import time -from pathlib import PurePosixPath import tornado.web import tornado.escape import bleach @@ -320,8 +319,8 @@ class ServerHandler(BaseHandler): return import_type = bleach.clean(self.get_argument("create_type", "")) import_server_path = bleach.clean(self.get_argument("server_path", "")) - if PurePosixPath(self.controller.project_root).is_relative_to( - import_server_path + if not self.helper.is_subdir( + import_server_path, self.controller.project_root ): self.redirect( "/panel/error?error=Loop Error: The selected path will cause" @@ -478,9 +477,7 @@ class ServerHandler(BaseHandler): return import_type = bleach.clean(self.get_argument("create_type", "")) import_server_path = bleach.clean(self.get_argument("server_path", "")) - if PurePosixPath(self.controller.project_root).is_relative_to( - import_server_path - ): + if self.helper.is_subdir(import_server_path, self.controller.project_root): self.redirect( "/panel/error?error=Loop Error: The selected path will cause" " an infinite copy loop. Make sure Crafty's directory is not"