results_file.py: Allow to access files in subdirectory

However we pay attention that no one is trying to access a file in a parent directory

results_file.py: Allow to access files in subdirectory
However we pay attention that no one is trying to access a file in a parent directory
d74e6dcf · Mikaël Salson · Vidjil Team · 19908eaa · d74e6dcf
Commit d74e6dcf authored Mar 05, 2019 by Mikaël Salson Committed by Vidjil Team Mar 17, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

server/web2py/applications/vidjil/controllers/results_file.py ...er/web2py/applications/vidjil/controllers/results_file.py +2 -2

No files found.
--- a/server/web2py/applications/vidjil/controllers/results_file.py
+++ b/server/web2py/applications/vidjil/controllers/results_file.py
@@ -116,10 +116,10 @@ def output():
 @cache.action()
 def download():
    sample_set_id = get_sample_set_id_from_results_file(request.vars["results_file_id"])
-    if auth.can_view_sample_set(sample_set_id):
+    if auth.can_view_sample_set(sample_set_id) and not '..' in request.vars['filename']:
        results_id = int(request.vars["results_file_id"])
        directory = defs.DIR_OUT_VIDJIL_ID % results_id
-        filepath = directory + os.path.basename(request.vars['filename'])
+        filepath = directory + request.vars['filename']
        try:
            log.info("Downloaded results file", extra={'user_id': auth.user.id,
                'record_id': request.vars["results_file_id"],