security: redirect_uri-Allowlist + mail Path-Traversal-Schutz
- common.py /authorize: redirect_uri muss https://claude.ai/ oder https://claude.com/ sein (verhindert offenen Redirect / Code-Abfluss an fremde URIs). - mail/server.py _open_folder: realpath-Check, Ordner muss im Account-Verzeichnis bleiben (Path-Traversal verhindert). - tests: get_token_pkce auf sicheren Flow aktualisiert (erlaubte redirect_uri + client_secret). 54/54 Tests gruen. test-Client bleibt (Test-Suite braucht ihn, Secret 600-geschuetzt). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Stefan Lohmaier
+5
-1
@@ -161,7 +161,11 @@ def _discover_folders(acct_path):
|
||||
|
||||
|
||||
def _open_folder(acct_path, folder_name):
|
||||
path = os.path.join(acct_path, folder_name)
|
||||
base = os.path.realpath(acct_path)
|
||||
path = os.path.realpath(os.path.join(base, folder_name))
|
||||
# Path-Traversal verhindern: muss innerhalb des Account-Verzeichnisses bleiben
|
||||
if path != base and not path.startswith(base + os.sep):
|
||||
return None
|
||||
return mailbox.Maildir(path, create=False) if os.path.isdir(path) else None
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user