administrator/frigate
1
0
Fork 0
mirror of https://github.com/blakeblackshear/frigate.git synced 2026-06-21 11:51:53 +03:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Don't allow path traversal

Browse Source
This commit is contained in:
Nicolas Mowen 2026-06-16 07:45:41 -06:00
parent f4b6652f5f
commit ebd3db4232
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
frigate/api/export.py
View File

@ -91,6 +91,16 @@ def export_recording(
playback_factor = body.playback playback_factor = body.playback
playback_source = body.source playback_source = body.source
friendly_name = body.name friendly_name = body.name
# sanitize_filepath normalizes "\" to "/" but leaves ".." intact, so a path
# like "clips\..\..\etc/passwd" passes the CLIPS_DIR prefix check yet still
# escapes the directory once resolved. A valid snapshot path never uses "..".
if body.image_path and ".." in body.image_path:
return JSONResponse(
content=({"success": False, "message": "Invalid image path"}),
status_code=400,
)
existing_image = sanitize_filepath(body.image_path) if body.image_path else None existing_image = sanitize_filepath(body.image_path) if body.image_path else None
# a chapters value in the request body overrides the camera's export config # a chapters value in the request body overrides the camera's export config