Home-IoT/esphome
1
0
Fork 0
mirror of https://github.com/esphome/esphome.git synced 2024-09-20 09:37:31 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

Merge pull request from GHSA-8p25-3q46-8q2p

Browse source
This commit is contained in:
Jesse Hills 2024-02-23 07:38:24 +13:00
parent 84c6e52be2
commit d814ed1d4a
No known key found for this signature in database
GPG key ID: BEAAE804EFD8E83A
1 changed files with 19 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
esphome/dashboard/web_server.py
View file

@ -806,8 +806,16 @@ class EditRequestHandler(BaseHandler):
@bind_config
async def get(self, configuration: str | None = None) -> None:
"""Get the content of a file."""
loop = asyncio.get_running_loop()
if not configuration.endswith((".yaml", ".yml")):
self.send_error(404)
return
filename = settings.rel_path(configuration)
if Path(filename).resolve().parent != settings.absolute_config_dir:
self.send_error(404)
return
loop = asyncio.get_running_loop()
content = await loop.run_in_executor(
None, self._read_file, filename, configuration
)
@ -833,11 +841,17 @@ class EditRequestHandler(BaseHandler):
@bind_config
async def post(self, configuration: str | None = None) -> None:
"""Write the content of a file."""
if not configuration.endswith((".yaml", ".yml")):
self.send_error(404)
return
filename = settings.rel_path(configuration)
if Path(filename).resolve().parent != settings.absolute_config_dir:
self.send_error(404)
return
loop = asyncio.get_running_loop()
config_file = settings.rel_path(configuration)
await loop.run_in_executor(
None, self._write_file, config_file, self.request.body
)
await loop.run_in_executor(None, self._write_file, filename, self.request.body)
# Ensure the StorageJSON is updated as well
DASHBOARD.entries.async_schedule_storage_json_update(filename)
self.set_status(200)