Security: fix path traversal in chart_name
This commit is contained in:
@@ -38,7 +38,10 @@ def _read_chart_bbox(chart_name: str) -> list | None:
|
||||
"""Return [west, south, east, north] from the chart's meta.json, or None."""
|
||||
if not chart_name:
|
||||
return None
|
||||
meta = os.path.join(_CHARTS_DIR, chart_name, 'meta.json')
|
||||
# Security: prevent path traversal — chart_name must not escape _CHARTS_DIR
|
||||
meta = os.path.normpath(os.path.join(_CHARTS_DIR, chart_name, 'meta.json'))
|
||||
if not meta.startswith(_CHARTS_DIR + os.sep):
|
||||
return None
|
||||
try:
|
||||
with open(meta, 'r', encoding='utf-8') as f:
|
||||
data = json.load(f)
|
||||
|
||||
Reference in New Issue
Block a user