CVE-2024-51998 - file:/ path traversal access should not be allowed to access a file without ALLOW_FILE_URI set

2025-12-11 18:45:34 +00:00 · 2024-11-07 18:44:08 +01:00
parent e0abf0b505
commit 49bc982c69
2 changed files with 30 additions and 3 deletions
--- a/changedetectionio/processors/init.py
+++ b/changedetectionio/processors/init.py
@@ -33,8 +33,8 @@ class difference_detection_processor():

        url = self.watch.link

-        # Protect against file:// access, check the real "link" without any meta "source:" etc prepended.
-        if re.search(r'^file://', url, re.IGNORECASE):
+        # Protect against file://, file:/ access, check the real "link" without any meta "source:" etc prepended.
+        if re.search(r'^file:/', url.strip(), re.IGNORECASE):
            if not strtobool(os.getenv('ALLOW_FILE_URI', 'false')):
                raise Exception(
                    "file:// type access is denied for security reasons."