Security: fix path traversal in chart_name
This commit is contained in:
@@ -38,7 +38,10 @@ def _read_chart_bbox(chart_name: str) -> list | None:
|
|||||||
"""Return [west, south, east, north] from the chart's meta.json, or None."""
|
"""Return [west, south, east, north] from the chart's meta.json, or None."""
|
||||||
if not chart_name:
|
if not chart_name:
|
||||||
return None
|
return None
|
||||||
meta = os.path.join(_CHARTS_DIR, chart_name, 'meta.json')
|
# Security: prevent path traversal — chart_name must not escape _CHARTS_DIR
|
||||||
|
meta = os.path.normpath(os.path.join(_CHARTS_DIR, chart_name, 'meta.json'))
|
||||||
|
if not meta.startswith(_CHARTS_DIR + os.sep):
|
||||||
|
return None
|
||||||
try:
|
try:
|
||||||
with open(meta, 'r', encoding='utf-8') as f:
|
with open(meta, 'r', encoding='utf-8') as f:
|
||||||
data = json.load(f)
|
data = json.load(f)
|
||||||
|
|||||||
Reference in New Issue
Block a user