Compare commits
1 Commits
alert-auto
...
alert-auto
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
a3f73a5256 |
@@ -1048,12 +1048,21 @@ async def serve_image_studio_image(
|
|||||||
raise HTTPException(status_code=403, detail="Access denied: image not found in your library")
|
raise HTTPException(status_code=403, detail="Access denied: image not found in your library")
|
||||||
|
|
||||||
# Determine if it's an edited image or regular image
|
# Determine if it's an edited image or regular image
|
||||||
|
# Validate user-controlled path input before filesystem path construction
|
||||||
|
image_filename_path = Path(image_filename)
|
||||||
|
if image_filename_path.is_absolute() or any(part in ("", ".", "..") for part in image_filename_path.parts):
|
||||||
|
raise HTTPException(status_code=403, detail="Access denied: Invalid image path")
|
||||||
|
|
||||||
base_dir = Path(__file__).parent.parent
|
base_dir = Path(__file__).parent.parent
|
||||||
image_studio_dir = (base_dir / "image_studio_images").resolve()
|
image_studio_dir = (base_dir / "image_studio_images").resolve()
|
||||||
|
|
||||||
if image_filename.startswith("edited/"):
|
if image_filename.startswith("edited/"):
|
||||||
# Remove "edited/" prefix and serve from edited directory
|
# Remove "edited/" prefix and serve from edited directory
|
||||||
actual_filename = image_filename.replace("edited/", "", 1)
|
actual_filename = image_filename.replace("edited/", "", 1)
|
||||||
|
actual_filename_path = Path(actual_filename)
|
||||||
|
if actual_filename_path.is_absolute() or any(part in ("", ".", "..") for part in actual_filename_path.parts):
|
||||||
|
raise HTTPException(status_code=403, detail="Access denied: Invalid image path")
|
||||||
|
|
||||||
image_path = (image_studio_dir / "edited" / actual_filename).resolve()
|
image_path = (image_studio_dir / "edited" / actual_filename).resolve()
|
||||||
base_subdir = (image_studio_dir / "edited").resolve()
|
base_subdir = (image_studio_dir / "edited").resolve()
|
||||||
else:
|
else:
|
||||||
|
|||||||
@@ -942,20 +942,9 @@ async def serve_product_avatar(
|
|||||||
if current_user_id != user_id:
|
if current_user_id != user_id:
|
||||||
raise HTTPException(status_code=403, detail="Access denied")
|
raise HTTPException(status_code=403, detail="Access denied")
|
||||||
|
|
||||||
# Restrict to a filename only (no nested paths)
|
# Locate video file
|
||||||
requested_name = Path(filename)
|
|
||||||
if requested_name.is_absolute() or requested_name.name != filename:
|
|
||||||
raise HTTPException(status_code=400, detail="Invalid filename")
|
|
||||||
|
|
||||||
# Locate and validate video file path within user's avatar directory
|
|
||||||
base_dir = Path(__file__).parent.parent.parent
|
base_dir = Path(__file__).parent.parent.parent
|
||||||
user_root = (base_dir / "product_avatars" / current_user_id).resolve()
|
video_path = base_dir / "product_avatars" / user_id / filename
|
||||||
video_path = (user_root / requested_name).resolve()
|
|
||||||
|
|
||||||
try:
|
|
||||||
video_path.relative_to(user_root)
|
|
||||||
except ValueError:
|
|
||||||
raise HTTPException(status_code=400, detail="Invalid filename")
|
|
||||||
|
|
||||||
if not video_path.exists():
|
if not video_path.exists():
|
||||||
raise HTTPException(status_code=404, detail="Video not found")
|
raise HTTPException(status_code=404, detail="Video not found")
|
||||||
@@ -963,7 +952,7 @@ async def serve_product_avatar(
|
|||||||
return FileResponse(
|
return FileResponse(
|
||||||
path=str(video_path),
|
path=str(video_path),
|
||||||
media_type="video/mp4",
|
media_type="video/mp4",
|
||||||
filename=requested_name.name
|
filename=filename
|
||||||
)
|
)
|
||||||
|
|
||||||
except HTTPException:
|
except HTTPException:
|
||||||
|
|||||||
Reference in New Issue
Block a user