From 47e98571c43cc2cadb92b744550b70b68cf8299d Mon Sep 17 00:00:00 2001 From: Alex Ruddick Date: Wed, 25 Oct 2023 17:45:23 -0500 Subject: [PATCH 1/2] Avoid malicious user path input --- pymodbus/server/simulator/http_server.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pymodbus/server/simulator/http_server.py b/pymodbus/server/simulator/http_server.py index d65b7e1f4..585454c64 100644 --- a/pymodbus/server/simulator/http_server.py +++ b/pymodbus/server/simulator/http_server.py @@ -259,7 +259,10 @@ async def handle_html_static(self, request): """Handle static html.""" if not (page := request.path[1:]): page = "index.html" - file = os.path.join(self.web_path, page) + unsafe_file = os.path.join(self.web_path, page) + file = os.path.normpath(unsafe_file) + if not file.startswith(self.web_path): + raise ValueError(f"File access outside {self.web_path} not permitted.") try: with open(file, encoding="utf-8"): return web.FileResponse(file) From 1de81d23badaa1182911ea480203bb5bf1fb65fb Mon Sep 17 00:00:00 2001 From: jan iversen Date: Thu, 26 Oct 2023 08:26:54 +0200 Subject: [PATCH 2/2] Update http_server.py --- pymodbus/server/simulator/http_server.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pymodbus/server/simulator/http_server.py b/pymodbus/server/simulator/http_server.py index 585454c64..fa45d5dec 100644 --- a/pymodbus/server/simulator/http_server.py +++ b/pymodbus/server/simulator/http_server.py @@ -259,8 +259,7 @@ async def handle_html_static(self, request): """Handle static html.""" if not (page := request.path[1:]): page = "index.html" - unsafe_file = os.path.join(self.web_path, page) - file = os.path.normpath(unsafe_file) + file = os.path.normpath(os.path.join(self.web_path, page)) if not file.startswith(self.web_path): raise ValueError(f"File access outside {self.web_path} not permitted.") try: