Check that the directory being added to the Python path is really inside the course.

2013-05-14 14:59:19 -04:00
parent 768665067f
commit 4ea7607648
1 changed files with 6 additions and 1 deletions
--- a/common/lib/capa/capa/capa_problem.py
+++ b/common/lib/capa/capa/capa_problem.py
@@ -413,12 +413,17 @@ class LoncapaProblem(object):
        path = []

        for dir in raw_path:
-
            if not dir:
                continue

            # path is an absolute path or a path relative to the data dir
            dir = os.path.join(self.system.filestore.root_path, dir)
+            # Check that we are within the filestore tree.
+            reldir = os.path.relpath(dir, self.system.filestore.root_path)
+            if ".." in reldir:
+                log.warning("Ignoring Python directory outside of course: %r" % dir)
+                continue
+
            abs_dir = os.path.normpath(dir)
            path.append(abs_dir)