Check that the directory being added to the Python path is really inside the course.

4ea76076 · Ned Batchelder · 76866506 · 4ea76076
Commit 4ea76076 authored May 14, 2013 by Ned Batchelder
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletions

common/lib/capa/capa/capa_problem.py
+6 -1

No files found.
--- a/common/lib/capa/capa/capa_problem.py
+++ b/common/lib/capa/capa/capa_problem.py
@@ -413,12 +413,17 @@ class LoncapaProblem(object):
        path = []
        for dir in raw_path:
            if not dir:
                continue
            # path is an absolute path or a path relative to the data dir
            dir = os.path.join(self.system.filestore.root_path, dir)
+            # Check that we are within the filestore tree.
+            reldir = os.path.relpath(dir, self.system.filestore.root_path)
+            if ".." in reldir:
+                log.warning("Ignoring Python directory outside of course: %r" % dir)
+                continue
            abs_dir = os.path.normpath(dir)
            path.append(abs_dir)