Use commonpath instead of commonprefix

73195428 · Thom Wiggers · 97b8acc9 · 73195428 · 73195428 · 73195428
Unverified Commit 73195428 authored Apr 01, 2017 by Thom Wiggers 📐
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ Getting started

 If you use Docker, please look at [this part](#docker) of the README.

-0. Get at least Python 3.4 and install the Pillow requirements as per below.
+0. Get at least Python 3.5 and install the Pillow requirements as per below.
 1. Clone this repository
 2. Run `source ./source_me.sh` or `source venv/bin/activate` (or what you do for your own favourite virtualenv solution)
 3. Run `pip install -r requirements.txt`

--- a/website/photos/views.py
+++ b/website/photos/views.py
@@ -124,7 +124,7 @@ def _download(request, original_path):
    path = os.path.normpath(
        os.path.join(photopath, *original_path.split('/')[1:]))

-    if not os.path.commonprefix([photopath, path]).startswith(photopath):
+    if not os.path.commonpath([photopath, path]) == photopath:
        raise SuspiciousFileOperation(
            "Path traversal detected: someone tried to download "
            "{}, input: {}".format(path, original_path))

--- a/website/thaliawebsite/views.py
+++ b/website/thaliawebsite/views.py
@@ -69,7 +69,7 @@ def wiki_login(request):
 def styleguide_file(request, filename):
    path = os.path.join(settings.MEDIA_ROOT, 'styleguide')
    filepath = os.path.join(path, filename)
-    if not (os.path.commonprefix([path, filepath]).startswith(path) and
+    if not (os.path.commonpath([path, filepath]) == path and
            os.path.isfile(filepath)):
        raise Http404("File not found.")
    return sendfile(request, filepath, attachment=True)

--- a/website/utils/views.py
+++ b/website/utils/views.py
@@ -21,7 +21,7 @@ def _private_thumbnails_unauthed(request, size_fit, original_path):
    """
    thumbpath = os.path.join(settings.MEDIA_ROOT, 'thumbnails', size_fit)
    path = os.path.normpath(os.path.join(thumbpath, original_path))
-    if not os.path.commonprefix([thumbpath, path]).startswith(thumbpath):
+    if not os.path.commonpath([thumbpath, path]) == thumbpath:
        raise SuspiciousFileOperation(
            "Path traversal detected: someone tried to download "
            "{}, input: {}".format(path, original_path))
@@ -55,13 +55,13 @@ def generate_thumbnail(request, size_fit, path, thumbpath):
    thumb_root = os.path.join(settings.MEDIA_ROOT, 'thumbnails', size_fit)

    public_img = False
-    if (os.path.commonprefix([full_thumbpath, full_path])
-            .startswith(public_media)):
+    if (os.path.commonpath([full_thumbpath, full_path, public_media]) ==
+            public_media):
        public_img = True
-    elif not (os.path.commonprefix([full_thumbpath, thumb_root])
-              .startswith(thumb_root) and
-              os.path.commonprefix([full_path, settings.MEDIA_ROOT])
-              .startswith(settings.MEDIA_ROOT)):
+    elif not (os.path.commonpath([full_thumbpath, thumb_root]) ==
+              thumb_root and
+              os.path.commonpath([full_path, settings.MEDIA_ROOT]) ==
+              settings.MEDIA_ROOT):
        raise SuspiciousFileOperation(
            "Path traversal detected: someone tried to generate a thumb from "
            "{} to {}".format(full_path, full_thumbpath))