From 59159c29a3e38d066fd45fdccd546a865a0ed1fc Mon Sep 17 00:00:00 2001 From: crunk Date: Fri, 25 Mar 2022 11:24:49 +0100 Subject: [PATCH] fixed recursive folders and security issues with send_from_directory --- verse/distribusiworkflow.py | 2 +- verse/start.py | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/verse/distribusiworkflow.py b/verse/distribusiworkflow.py index 57367a0..286429d 100644 --- a/verse/distribusiworkflow.py +++ b/verse/distribusiworkflow.py @@ -86,7 +86,7 @@ def GetCssFile(distribusi): def RunDistribusi(userfolder, cssfile): parser = build_argparser() - args = parser.parse_args(["-s", cssfile]) + args = parser.parse_args(["--menu-with-index", "-s", cssfile]) distribusify(args, userfolder) diff --git a/verse/start.py b/verse/start.py index 2d7abc6..b77283d 100644 --- a/verse/start.py +++ b/verse/start.py @@ -5,7 +5,7 @@ from flask import ( redirect, url_for, session, - send_from_directory, + Blueprint, ) from flask_login import ( logout_user, @@ -34,6 +34,8 @@ from statuspengguna.registeruser import RegisterUser from distribusisinfo import DistribusisInfo APP = create_app() +stash_page = Blueprint("stash_page", __name__, static_folder="stash") +APP.register_blueprint(stash_page) @APP.before_request @@ -105,9 +107,9 @@ def selector(): return DistribusiSelector() -@APP.route("/stash/") -def distribusistash(path): - return send_from_directory("stash", path) +@APP.route("/stash") +def shortstashurl(): + return redirect(url_for("index")) @APP.route("/admin", methods=["GET", "POST"])