MIDNIGHT/frappe-lms
2
0
Fork 0
mirror of https://github.com/frappe/lms.git synced 2026-04-19 22:52:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix: prevent path transversals in scorm upload

Browse Source
This commit is contained in:
raizasafeel
2026-03-30 14:48:42 +05:30
parent 839c8eca6e
commit bb1b1f6adc
1 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
lms/lms/api.py
View File

@@ -1004,9 +1004,20 @@ def upsert_chapter(
def extract_package(course: str, title: str, scorm_package: dict):
package = frappe.get_doc("File", scorm_package.name)
zip_path = package.get_full_path()
# check_for_malicious_code(zip_path)
scorm_root = os.path.realpath(frappe.get_site_path("public", "scorm"))
extract_path = frappe.get_site_path("public", "scorm", course, title)
zipfile.ZipFile(zip_path).extractall(extract_path)
if not os.path.realpath(extract_path).startswith(scorm_root + os.sep):
frappe.throw(_("Invalid course or chapter name"))
with zipfile.ZipFile(zip_path, "r") as zf:
dest = os.path.realpath(extract_path)
for name in zf.namelist():
target = os.path.realpath(os.path.join(extract_path, name))
if not target.startswith(dest + os.sep) and target != dest:
frappe.throw(_("Invalid file path in package"))
zf.extractall(extract_path)
return extract_path