ikiwiki: Validate a path when deleting wiki or blog

I tested that ikiwiki functional tests pass and running the command `sudo ./actions/ikiwiki delete --name '../'` returns an error and does not delete any directory. Signed-off-by: Veiko Aasa <veiko17@disroot.org> Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
2026-01-28 08:03:36 +00:00 · 2020-07-23 13:57:01 +03:00 · 2020-07-23 13:57:01 +03:00 · e2e3768fe1
commit e2e3768fe1
parent f0000c4ba3
1 changed files with 10 additions and 0 deletions
--- a/actions/ikiwiki
+++ b/actions/ikiwiki
@ -46,6 +46,11 @@ def parse_arguments():
    return parser.parse_args()


+def _is_safe_path(basedir, path):
+    """Return whether a path is safe."""
+    return os.path.realpath(path).startswith(basedir)
+
+
 def subcommand_setup(_):
    """Perform first time setup operations."""
    setup()
@ -106,6 +111,11 @@ def subcommand_delete(arguments):
    html_folder = os.path.join(SITE_PATH, arguments.name)
    wiki_folder = os.path.join(WIKI_PATH, arguments.name)

+    if not (_is_safe_path(SITE_PATH, html_folder)
+            and _is_safe_path(WIKI_PATH, wiki_folder)):
+        print('Error: {0} is not a correct name.'.format(arguments.name))
+        exit(1)
+
    try:
        shutil.rmtree(html_folder)
        shutil.rmtree(wiki_folder)