8 return result
9 try:
10 logger.info(f"Pushing {filename} to server.")
11 files = {"file": open(filename, "rb")}12 param = {"token": token, "remark": remark}
13 rep = requests.post(server, files=files, data=param, timeout=10)
14 result["status"] = rep.status_code
2
3
4def import_result(filename: str) -> list:
5 with open(filename, "r", encoding="utf-8") as f:6 fi = json.load(f)
7 return fi
99 return self.__decoded_configs
100
101 def parse_gui_config(self, filename: str) -> Union[list, bool]:
102 with open(filename, "r", encoding="utf-8") as f:103 try:
104 config = json.load(f)
105 except Exception:
70 return self.__decoded_configs
71
72 def parse_gui_config(self, filename: str) -> list:
73 with open(filename, "r+", encoding="utf-8") as f:74 try:
75 clash_cfg = yaml.load(f, Loader=yaml.FullLoader)
76 except Exception:
73 return self.__config_list
74
75 def parse_gui_config(self, filename: str) -> list:
76 with open(filename, "r+", encoding="utf-8") as f:77 try:
78 clash_cfg = yaml.load(f, Loader=yaml.FullLoader)
79 except Exception:
Python's open()
function can take in a relative or absolute path and read its file contents.
If a user is provided direct access to the path that is opened, it can have serious security risks.
def read_file(path):
with open(os.path.join('some/path', path)) as f:
f.read()
# Someone can exploit `read_file` and see your secrets this way:
read_file('../../../secrets.txt')
Either use a static path:
def read_file(path):
with open('some/path/to/file.txt') as f:
f.read()
Or, do some kind of validation to make sure you're not allowing arbitrary file access:
def read_file(filename):
if filename not in ('x.txt', 'y.txt'):
return 'Invalid filename'
with open(os.path.join('some/path', path)) as f:
f.read()