osmith has submitted this change. ( https://gerrit.osmocom.org/c/pysim/+/42625?usp=email )

Change subject: osmo-smdpp.py: use commonpath in transversal check ......................................................................

osmo-smdpp.py: use commonpath in transversal check

Use commonpath, as commonprefix allows accessing a sibiling directory with the same prefix.

Change-Id: I7a42b40aa2bbcd5f0ec99f172503354c6eaa9828 --- M osmo-smdpp.py 1 file changed, 1 insertion(+), 1 deletion(-)

Approvals: Hoernchen: Looks good to me, but someone else must approve osmith: Looks good to me, approved Jenkins Builder: Verified

diff --git a/osmo-smdpp.py b/osmo-smdpp.py index d1d6fd7..2a8e478 100755 --- a/osmo-smdpp.py +++ b/osmo-smdpp.py @@ -640,7 +640,7 @@ # look up profile based on matchingID. We simply check if a given file exists for now.. path = os.path.join(self.upp_dir, matchingId) + '.der' # prevent directory traversal attack - if os.path.commonprefix((os.path.realpath(path),self.upp_dir)) != self.upp_dir: + if os.path.commonpath((os.path.realpath(path),self.upp_dir)) != self.upp_dir: raise ApiError('8.2.6', '3.8', 'Refused') if not os.path.isfile(path) or not os.access(path, os.R_OK): raise ApiError('8.2.6', '3.8', 'Refused')