Merge pull request #1 from zzjc1234/fix/security_win

fix: fail to upload figure
linsyking · Jan 17, 2024 · e3e5ba5 · e3e5ba5
2 parents b0d2a9a + 4927cbe
commit e3e5ba5
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/canvas_app.py b/canvas_app.py
@@ -37,13 +37,14 @@
 # INFO: Safety check for file
 def check_file(filename):
     base_path = "/public/res/"
+    base_path_win = "\\public\\res\\"
     fullPath = path.normpath(path.join(base_path, filename))
     if (
         not "." in filename
         or not filename.rsplit(".", 1)[1].lower() in ALLOWED_EXTENSION
     ):
         return "Illegal"
-    if not fullPath.startswith(base_path):
+    if not fullPath.startswith(base_path) and not fullPath.startswith(base_path_win):
         return "Illegal"
     else:
         return filename