Fix imports issue (#611)

* Add fix for zip issue * Properly restrict by MAX_CONTENT_LENGTH
2018-04-14 13:46:35 -04:00 · 2018-04-14 13:46:35 -04:00 · 8c4f915cb4
parent 995cf6a920
commit 8c4f915cb4
1 changed files with 12 additions and 1 deletions
--- a/CTFd/utils.py
+++ b/CTFd/utils.py
@ -843,10 +843,21 @@ def import_ctf(backup, segments=None, erase=False):
        segments = ['challenges', 'teams', 'both', 'metadata']

    if not zipfile.is_zipfile(backup):
-        raise TypeError
+        raise zipfile.BadZipfile

    backup = zipfile.ZipFile(backup)

+    members = backup.namelist()
+    max_content_length = get_app_config('MAX_CONTENT_LENGTH')
+    for f in members:
+        if f.startswith('/') or '..' in f:
+            # Abort on malicious zip files
+            raise zipfile.BadZipfile
+        info = backup.getinfo(f)
+        if max_content_length:
+            if info.file_size > max_content_length:
+                raise zipfile.LargeZipFile
+
    groups = {
        'challenges': [
            'challenges',