親ディレクトリの削除を保護する

2024-12-23 17:35:53 +09:00
parent 168772b195
commit b01bdab6f9
1 changed files with 1 additions and 1 deletions
--- a/app.py
+++ b/app.py
@@ -833,7 +833,7 @@ def delete():

    parent_dir = pathlib.Path(os.getenv("TAIKO_WEB_SONGS_DIR", "public/songs"))
    target_dir = parent_dir / id
-    if target_dir.resolve().relative_to(parent_dir.resolve()) == pathlib.Path("."):
+    if not (target_dir.resolve().parents and parent_dir.resolve() in target_dir.resolve().parents):
        return flask.jsonify({ "success": False, "reason": "PARENT IS NOT ALLOWED" })

    shutil.rmtree(target_dir)