review file controllers
we need to double check the file controllers to not allow arbitrary file access (ie something like ../../../etc/passwd) before or around we go live.
#4 Updated by coolo over 8 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 100
I implemented 1801 and while I did, I reviewed the code. It's impossible to match / for parameters and we don't do any manual descape. So unless I oversee something highly unobvious, it's impossible to get out of the test directory. The only exception was the iso download, that I fixed not to take custom file names. We only allow downloads of ISO files of valid tests. Christoper allowed all files in iso directory - which is not what we want IMO.