osmith submitted this change.

View Change

Approvals: Hoernchen: Looks good to me, but someone else must approve osmith: Looks good to me, approved Jenkins Builder: Verified 
osmo-smdpp.py: use commonpath in transversal check

Use commonpath, as commonprefix allows accessing a sibiling directory
with the same prefix.

Change-Id: I7a42b40aa2bbcd5f0ec99f172503354c6eaa9828
---
M osmo-smdpp.py
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/osmo-smdpp.py b/osmo-smdpp.py
index d1d6fd7..2a8e478 100755
--- a/osmo-smdpp.py
+++ b/osmo-smdpp.py
@@ -640,7 +640,7 @@
                 # look up profile based on matchingID.  We simply check if a given file exists for now..
                 path = os.path.join(self.upp_dir, matchingId) + '.der'
                 # prevent directory traversal attack
-                if os.path.commonprefix((os.path.realpath(path),self.upp_dir)) != self.upp_dir:
+                if os.path.commonpath((os.path.realpath(path),self.upp_dir)) != self.upp_dir:
                     raise ApiError('8.2.6', '3.8', 'Refused')
                 if not os.path.isfile(path) or not os.access(path, os.R_OK):
                     raise ApiError('8.2.6', '3.8', 'Refused')

To view, visit change 42625. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: merged
Gerrit-Project: pysim
Gerrit-Branch: master
Gerrit-Change-Id: I7a42b40aa2bbcd5f0ec99f172503354c6eaa9828
Gerrit-Change-Number: 42625
Gerrit-PatchSet: 3
Gerrit-Owner: dexter <pmaier@sysmocom.de>
Gerrit-Reviewer: Hoernchen <ewild@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge@osmocom.org>
Gerrit-Reviewer: neels <nhofmeyr@sysmocom.de>
Gerrit-Reviewer: osmith <osmith@sysmocom.de>