fix [security] path traversal allowing authenticated AIL users to read gzip-compressed files accessible to the AIL process. Reported by Jeroen Gui

Terrtia · Terrtia · commit 57eed32e11f8 · 2026-04-08T17:46:42.000+02:00
diff --git a/bin/lib/item_basic.py b/bin/lib/item_basic.py
@@ -24,14 +24,21 @@
 
 def exist_item(item_id):
     filename = get_item_filepath(item_id)
+    if not filename:
+        return False
     if os.path.isfile(filename):
         return True
     else:
         return False
 
 def get_item_filepath(item_id):
     filename = os.path.join(ConfigLoader.get_items_dir(), item_id)
-    return os.path.realpath(filename)
+    filename = os.path.realpath(filename)
+    items_dir = ConfigLoader.get_items_dir()
+    if not os.path.commonpath([filename, items_dir]) == items_dir:
+        return None
+    else:
+        return filename
 
 def get_item_date(item_id, add_separator=False):
     l_dir = item_id.split('/')
diff --git a/bin/lib/objects/Items.py b/bin/lib/objects/Items.py
@@ -89,7 +89,7 @@ def get_filename(self):
         filename = os.path.realpath(filename)
 
         # incorrect filename
-        if not os.path.commonprefix([filename, ITEMS_FOLDER]) == ITEMS_FOLDER:
+        if not os.path.commonpath([filename, ITEMS_FOLDER]) == ITEMS_FOLDER:
             return None
         else:
             return filename
@@ -788,7 +788,7 @@ def get_item_filename(item_id):
     filename = os.path.realpath(filename)
 
     # incorrect filename
-    if not os.path.commonprefix([filename, ITEMS_FOLDER]) == ITEMS_FOLDER:
+    if not os.path.commonpath([filename, ITEMS_FOLDER]) == ITEMS_FOLDER:
         return None
     else:
         return filename
