Home-IoT/esphome
1
0
Fork 0
mirror of https://github.com/esphome/esphome.git synced 2025-01-18 10:25:56 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Merge pull request from GHSA-8p25-3q46-8q2p

Browse source
This commit is contained in:
Jesse Hills 2024-02-23 07:38:24 +13:00 committed by GitHub
parent 58c0d8c267
commit a748610071
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 20 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
esphome/dashboard/web_server.py
View file

@ -808,8 +808,16 @@ class EditRequestHandler(BaseHandler):
@bind_config @bind_config
async def get(self, configuration: str | None = None) -> None: async def get(self, configuration: str | None = None) -> None:
"""Get the content of a file.""" """Get the content of a file."""
loop = asyncio.get_running_loop() if not configuration.endswith((".yaml", ".yml")):
self.send_error(404)
return
filename = settings.rel_path(configuration) filename = settings.rel_path(configuration)
if Path(filename).resolve().parent != settings.absolute_config_dir:
self.send_error(404)
return
loop = asyncio.get_running_loop()
content = await loop.run_in_executor( content = await loop.run_in_executor(
None, self._read_file, filename, configuration None, self._read_file, filename, configuration
) )
@ -835,14 +843,20 @@ class EditRequestHandler(BaseHandler):
@bind_config @bind_config
async def post(self, configuration: str | None = None) -> None: async def post(self, configuration: str | None = None) -> None:
"""Write the content of a file.""" """Write the content of a file."""
if not configuration.endswith((".yaml", ".yml")):
self.send_error(404)
return
filename = settings.rel_path(configuration)
if Path(filename).resolve().parent != settings.absolute_config_dir:
self.send_error(404)
return
loop = asyncio.get_running_loop() loop = asyncio.get_running_loop()
config_file = settings.rel_path(configuration) await loop.run_in_executor(None, self._write_file, filename, self.request.body)
await loop.run_in_executor(
None, self._write_file, config_file, self.request.body
)
# Ensure the StorageJSON is updated as well # Ensure the StorageJSON is updated as well
await async_run_system_command( await async_run_system_command(
[*DASHBOARD_COMMAND, "compile", "--only-generate", config_file] [*DASHBOARD_COMMAND, "compile", "--only-generate", filename]
) )
self.set_status(200) self.set_status(200)