Prevent accessing files outside target dir

ccrisan · ccrisan · commit d29d81e4ead3 · 2019-07-14T21:57:00.000+03:00
diff --git a/motioneye/mediafiles.py b/motioneye/mediafiles.py
@@ -466,6 +466,9 @@ def get_media_path(camera_config, path, media_type):
 def get_media_content(camera_config, path, media_type):
     target_dir = camera_config.get('target_dir')
 
+    if '..' in path:
+        raise Exception('invalid media path')
+
     full_path = os.path.join(target_dir, path)
 
     try:
