evlli/hass-core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Disallow uploading files to bypass the media dirs (#91817)

Browse source
This commit is contained in:
Paulus Schoutsen 2023-04-21 10:21:20 -04:00 committed by GitHub
parent 9665bc61f2
commit 78e29d526c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
homeassistant/components/media_source/local_source.py
View file

@ -48,7 +48,10 @@ class LocalSource(MediaSource):
@callback
def async_full_path(self, source_dir_id: str, location: str) -> Path:
"""Return full path."""
return Path(self.hass.config.media_dirs[source_dir_id], location)
base_path = self.hass.config.media_dirs[source_dir_id]
full_path = Path(base_path, location)
full_path.relative_to(base_path)
return full_path
@callback
def async_parse_identifier(self, item: MediaSourceItem) -> tuple[str, str]:
@ -65,6 +68,9 @@ class LocalSource(MediaSource):
except ValueError as err:
raise Unresolvable("Invalid path.") from err
if Path(location).is_absolute():
raise Unresolvable("Invalid path.")
return source_dir_id, location
async def async_resolve_media(self, item: MediaSourceItem) -> PlayMedia: