From c7e55022a13516cb07c1e4f1a7d8ab3793536ab0 Mon Sep 17 00:00:00 2001 From: JezerM Date: Tue, 4 Jan 2022 17:51:07 -0600 Subject: [PATCH] Fixes theme_utils.dirlist allowed paths. Changed its behavior. --- web-greeter/bridge/ThemeUtils.py | 19 +++++++++++-------- web-greeter/browser/browser.py | 2 +- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/web-greeter/bridge/ThemeUtils.py b/web-greeter/bridge/ThemeUtils.py index 1167b9a..7dc6bf2 100644 --- a/web-greeter/bridge/ThemeUtils.py +++ b/web-greeter/bridge/ThemeUtils.py @@ -28,7 +28,7 @@ # Standard Lib import os -from glob import glob +import re import tempfile # 3rd-Party Libs @@ -36,6 +36,7 @@ from browser.bridge import Bridge, BridgeObject from PyQt5.QtCore import QVariant from config import web_greeter_config +from logger import logger class ThemeUtils(BridgeObject): @@ -46,7 +47,9 @@ class ThemeUtils(BridgeObject): self._greeter = greeter self._allowed_dirs = ( - os.path.dirname(self._config["config"]["greeter"]["theme"]), + os.path.dirname( + os.path.realpath(self._config["config"]["greeter"]["theme"]) + ), self._config["app"]["theme_dir"], self._config["config"]["branding"]["background_images_dir"], self._greeter.shared_data_directory, @@ -74,17 +77,17 @@ class ThemeUtils(BridgeObject): break if not allowed: + logger.error("Path \"" + dir_path + "\" is not allowed"); return [] + result = [] if only_images: - file_types = ('jpg', 'jpeg', 'png', 'gif', 'bmp', 'webp') - result = [ - glob('{0}/**/*.{1}'.format(dir_path, ftype), recursive=True) - for ftype in file_types - ] - result = [image for image_list in result for image in image_list] + for f in os.scandir(dir_path): + if f.is_file() and re.match(r".+\.(jpe?g|png|gif|bmp|webp)", f.name): + result.append(f.path) else: result = [os.path.join(dir_path, f) for f in os.listdir(dir_path)] + result.sort() return result diff --git a/web-greeter/browser/browser.py b/web-greeter/browser/browser.py index 289dbf2..413edfe 100644 --- a/web-greeter/browser/browser.py +++ b/web-greeter/browser/browser.py @@ -258,6 +258,7 @@ class Browser(Application): logger.debug("Browser Window created") def load(self): + self.load_theme() self.greeter = Greeter() self.greeter_config = Config() self.theme_utils = ThemeUtils(self.greeter) @@ -265,7 +266,6 @@ class Browser(Application): self.bridge_objects = (self.greeter, self.greeter_config, self.theme_utils) self.initialize_bridge_objects() self.load_script(':/_greeter/js/bundle.js', 'Web Greeter Bundle') - self.load_theme() def _initialize_devtools(self): self.dev_view = QWebEngineView(parent=self.window)