4 ani în urmă · df2d50ac1d
--- a/paddlex_restful/restful/app.py
+++ b/paddlex_restful/restful/app.py
@@ -207,6 +207,9 @@ def get_image_file():
 
				     data = request.get_json()
			
 
				     if request.method == 'GET':
			
 
				         ret = data['path']
			
 
				+        assert os.path.abspath(ret).startswith(
			
 
				+            os.path.abspath(SD.workspace_dir)
			
 
				+        ) and ".." not in ret, "Illegal path {}.".format(ret)
			
 
				         return send_file(ret)
			
 
				 
			
 
				 
			
@@ -584,6 +587,9 @@ def task_evaluate_file():
 
				     if request.method == 'GET':
			
 
				         if 'path' in data:
			
 
				             ret = data['path']
			
 
				+            assert os.path.abspath(ret).startswith(
			
 
				+                os.path.abspath(SD.workspace_dir)
			
 
				+            ) and ".." not in ret, "Illegal path {}.".format(ret)
			
 
				             return send_file(ret)
			
 
				         else:
			
 
				             from .project.task import get_evaluate_result
			
@@ -920,6 +926,9 @@ def model_file():
 
				     data = request.get_json()
			
 
				     if request.method == 'GET':
			
 
				         ret = data['path']
			
 
				+        assert os.path.abspath(ret).startswith(
			
 
				+            os.path.abspath(SD.workspace_dir)
			
 
				+        ) and ".." not in ret, "Illegal path {}.".format(ret)
			
 
				         return send_file(ret)
			
 
				 
			
 
				 
			
--- a/static/paddlex_restful/restful/app.py
+++ b/static/paddlex_restful/restful/app.py
@@ -206,6 +206,9 @@ def get_image_file():
 
				     data = request.get_json()
			
 
				     if request.method == 'GET':
			
 
				         ret = data['path']
			
 
				+        assert os.path.abspath(ret).startswith(
			
 
				+            os.path.abspath(SD.workspace_dir)
			
 
				+        ) and ".." not in ret, "Illegal path {}.".format(ret)
			
 
				         return send_file(ret)
			
 
				 
			
 
				 
			
@@ -583,6 +586,9 @@ def task_evaluate_file():
 
				     if request.method == 'GET':
			
 
				         if 'path' in data:
			
 
				             ret = data['path']
			
 
				+            assert os.path.abspath(ret).startswith(
			
 
				+                os.path.abspath(SD.workspace_dir)
			
 
				+            ) and ".." not in ret, "Illegal path {}.".format(ret)
			
 
				             return send_file(ret)
			
 
				         else:
			
 
				             from .project.task import get_evaluate_result
			
@@ -919,6 +925,9 @@ def model_file():
 
				     data = request.get_json()
			
 
				     if request.method == 'GET':
			
 
				         ret = data['path']
			
 
				+        assert os.path.abspath(ret).startswith(
			
 
				+            os.path.abspath(SD.workspace_dir)
			
 
				+        ) and ".." not in ret, "Illegal path {}.".format(ret)
			
 
				         return send_file(ret)