Harden local secrets and backup restore
This commit is contained in:
@@ -12,3 +12,7 @@ dist
|
|||||||
build
|
build
|
||||||
data
|
data
|
||||||
instance
|
instance
|
||||||
|
.cloudron-push.env
|
||||||
|
.env.local
|
||||||
|
.env.push.local
|
||||||
|
nouri.sqlite3
|
||||||
|
|||||||
@@ -9,6 +9,7 @@ __pycache__/
|
|||||||
|
|
||||||
data/
|
data/
|
||||||
instance/
|
instance/
|
||||||
|
nouri.sqlite3
|
||||||
.cloudron-push.env
|
.cloudron-push.env
|
||||||
.env.local
|
.env.local
|
||||||
.env.push.local
|
.env.push.local
|
||||||
|
|||||||
+5
-1
@@ -77,6 +77,7 @@ def export_backup_archive(
|
|||||||
|
|
||||||
def _extract_uploads_to_temp(archive: zipfile.ZipFile) -> Path:
|
def _extract_uploads_to_temp(archive: zipfile.ZipFile) -> Path:
|
||||||
temp_dir = Path(tempfile.mkdtemp(prefix="nouri-restore-uploads-"))
|
temp_dir = Path(tempfile.mkdtemp(prefix="nouri-restore-uploads-"))
|
||||||
|
temp_root = temp_dir.resolve()
|
||||||
for member in archive.infolist():
|
for member in archive.infolist():
|
||||||
if not member.filename.startswith("uploads/") or member.is_dir():
|
if not member.filename.startswith("uploads/") or member.is_dir():
|
||||||
continue
|
continue
|
||||||
@@ -84,8 +85,11 @@ def _extract_uploads_to_temp(archive: zipfile.ZipFile) -> Path:
|
|||||||
if not relative_target:
|
if not relative_target:
|
||||||
continue
|
continue
|
||||||
target_path = temp_dir / relative_target
|
target_path = temp_dir / relative_target
|
||||||
|
resolved_target = target_path.resolve()
|
||||||
|
if not resolved_target.is_relative_to(temp_root):
|
||||||
|
raise ValueError("Das Backup enthält einen ungültigen Upload-Pfad.")
|
||||||
target_path.parent.mkdir(parents=True, exist_ok=True)
|
target_path.parent.mkdir(parents=True, exist_ok=True)
|
||||||
with archive.open(member, "r") as source, target_path.open("wb") as destination:
|
with archive.open(member, "r") as source, resolved_target.open("wb") as destination:
|
||||||
shutil.copyfileobj(source, destination)
|
shutil.copyfileobj(source, destination)
|
||||||
return temp_dir
|
return temp_dir
|
||||||
|
|
||||||
|
|||||||
+1
-1
@@ -1,5 +1,5 @@
|
|||||||
Flask==3.1.1
|
Flask==3.1.1
|
||||||
gunicorn==23.0.0
|
gunicorn==23.0.0
|
||||||
pywebpush==2.3.0
|
pywebpush==2.3.0
|
||||||
Pillow==11.2.1; python_version < "3.14"
|
Pillow==12.2.0; python_version < "3.14"
|
||||||
fpdf2==2.8.3
|
fpdf2==2.8.3
|
||||||
|
|||||||
Reference in New Issue
Block a user