From c7c2cda3331c8811cec8460f2d1a89975847cf9c Mon Sep 17 00:00:00 2001 From: Fabian Dill Date: Mon, 10 Mar 2025 20:17:42 +0100 Subject: [PATCH] MultiServer: prevent loading files out of temp --- MultiServer.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/MultiServer.py b/MultiServer.py index a310808b3a..5f9984caf7 100644 --- a/MultiServer.py +++ b/MultiServer.py @@ -2536,6 +2536,25 @@ async def main(args: argparse.Namespace): logging.info("No file selected. Exiting.") import sys sys.exit(1) + elif not args.disable_save: + import tempfile + import os + import sys + try: + common = os.path.commonpath((tempfile.gettempdir(), data_filename)) + if not os.path.samefile(tempfile.gettempdir(), common): + raise ValueError + + except ValueError: + # win32 built-in zip-folder handling, uses "temporary internet files" to store + if (sys.platform == "win32" and + "/AppData/Local/Microsoft/Windows/INetCache/IE/" in data_filename): + logging.info("File inside temporary directory (likely a zip file, just load the zip directly). " + "Exiting.") + sys.exit(1) + else: + logging.info("File inside temporary directory. Exiting.") + sys.exit(1) try: ctx.load(data_filename, args.use_embedded_options)