bug fix: file manager

2025-11-07 05:45:59 +01:00 · 2021-09-01 14:39:12 +05:00
parent 1b5f0515b9
commit b01a42c0f4
2 changed files with 27 additions and 3 deletions
--- a/filemanager/filemanager.py
+++ b/filemanager/filemanager.py
@@ -604,6 +604,15 @@ class FileManager:

            pathCheck = '/home/%s' % (self.data['domainName'])

+            domainName = self.data['domainName']
+            website = Websites.objects.get(domain=domainName)
+
+            command = 'ls -la %s' % (self.data['completePath'])
+            result = ProcessUtilities.outputExecutioner(command, website.externalApp)
+
+            if result.find('->') > -1:
+                return self.ajaxPre(0, "Symlink attack.")
+
            if ACLManager.commandInjectionCheck(self.data['completePath'] + '/' + myfile.name) == 1:
                return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')

@@ -616,9 +625,6 @@ class FileManager:
                self.data['completePath'] + '/' + myfile.name)
            ProcessUtilities.executioner(command)

-            domainName = self.data['domainName']
-            website = Websites.objects.get(domain=domainName)
-
            command = 'chown %s:%s %s' % (website.externalApp, website.externalApp,
                                          self.returnPathEnclosed(self.data['completePath'] + '/' + myfile.name))
            ProcessUtilities.executioner(command)
--- a/websiteFunctions/website.py
+++ b/websiteFunctions/website.py
@@ -1000,6 +1000,15 @@ class WebsiteManager:
        else:
            fileName = "/home/" + self.domain + "/logs/" + self.domain + ".error_log"

+        command = 'ls -la %s' % fileName
+        result = ProcessUtilities.outputExecutioner(command)
+
+        if result.find('->') > -1:
+            final_json = json.dumps(
+                {'status': 0, 'logstatus': 0,
+                 'error_message': "Symlink attack."})
+            return HttpResponse(final_json)
+
        ## get Logs
        website = Websites.objects.get(domain=self.domain)

@@ -1059,6 +1068,15 @@ class WebsiteManager:

        fileName = "/home/" + self.domain + "/logs/" + self.domain + ".error_log"

+        command = 'ls -la %s' % fileName
+        result = ProcessUtilities.outputExecutioner(command)
+
+        if result.find('->') > -1:
+            final_json = json.dumps(
+                {'status': 0, 'logstatus': 0,
+                 'error_message': "Symlink attack."})
+            return HttpResponse(final_json)
+
        ## get Logs
        website = Websites.objects.get(domain=self.domain)