JohnHammond
/
CTFd
mirror of https://github.com/JohnHammond/CTFd.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix imports issue (#611) 

* Add fix for zip issue
* Properly restrict by MAX_CONTENT_LENGTH
selenium-screenshot-testing
Kevin Chung 2018-04-14 13:46:35 -04:00 committed by GitHub
parent 995cf6a920
commit 8c4f915cb4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CTFd/utils.py
View File

@ -843,10 +843,21 @@ def import_ctf(backup, segments=None, erase=False):
segments = ['challenges', 'teams', 'both', 'metadata'] segments = ['challenges', 'teams', 'both', 'metadata']
if not zipfile.is_zipfile(backup): if not zipfile.is_zipfile(backup):
raise TypeError raise zipfile.BadZipfile
backup = zipfile.ZipFile(backup) backup = zipfile.ZipFile(backup)
members = backup.namelist()
max_content_length = get_app_config('MAX_CONTENT_LENGTH')
for f in members:
if f.startswith('/') or '..' in f:
# Abort on malicious zip files
raise zipfile.BadZipfile
info = backup.getinfo(f)
if max_content_length:
if info.file_size > max_content_length:
raise zipfile.LargeZipFile
groups = { groups = {
'challenges': [ 'challenges': [
'challenges', 'challenges',