Page MenuHomeSoftware Heritage

api, browse: Ensure to sanitize filename passed to django FileResponse
ClosedPublic

Authored by anlambert on Dec 7 2022, 5:55 PM.

Details

Summary

Django might try to access the file if the value provided to the filename
query parameter of associated views is an absolute path.

Fixes SWH-WEBAPP-4B9

Diff Detail

Repository
rDWAPPS Web applications
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

Build is green

Patch application report for D8945 (id=32222)

Rebasing onto 36ce2b462f...

Current branch diff-target is up to date.
Changes applied before test
commit 9a29da9ad68949a46a83828bcd4ea40a217d610e
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Wed Dec 7 17:53:56 2022 +0100

    api, browse: Ensure to sanitize filename passed to django FileResponse
    
    Django might try to access the file if the value provided to the filename
    query parameter of associated views is an absolute path.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/51/ for more details.

This revision is now accepted and ready to land.Dec 8 2022, 2:29 AM