Fixed an issue that allowed access to the raw template files under sp…

…ecial conditions.
ralphwetzel · Nov 19, 2016 · 2d0f584 · 2d0f584
1 parent e86c349
commit 2d0f584
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 8 deletions.
diff --git a/theonionbox/stamp.txt b/theonionbox/stamp.txt
@@ -1 +1 @@
-20161105|141353
+20161119|150401
diff --git a/theonionbox/theonionbox.py b/theonionbox/theonionbox.py
@@ -2,7 +2,7 @@
 from __future__ import absolute_import
 from __future__ import print_function
 
-__version__ = '3.0.3'      # stamp will be added later
+__version__ = '3.0.4'      # stamp will be added later
 __description__ = 'The Onion Box: WebInterface to monitor Tor Relays and Bridges'
 
 
@@ -1290,9 +1290,14 @@ def send_css(session_id, filename):
     if filename in session['stylesheets']:
         if filename in session:
             file = session[filename]
-            del session[filename]
-            headers = {'Content-Type': 'text/css; charset=UTF-8'}
-            return HTTPResponse(file, **headers)
+            # 3.0.4
+            session[filename] = None
+            if file is None:
+                # This happens when the file is requested more than once!
+                raise HTTPError(404)
+            else:
+                headers = {'Content-Type': 'text/css; charset=UTF-8'}
+                return HTTPResponse(file, **headers)
 
         elif filename == 'bootstrap.css':
             return static_file(bootstrapCSS, root=bootstrapDir + '/css', mimetype='text/css')
@@ -1315,9 +1320,14 @@ def send_js(session_id, filename):
     if filename in session['scripts']:
         if filename in session:
             file = session[filename]
-            del session[filename]
-            headers = {'Content-Type': 'application/javascript; charset=UTF-8'}
-            return HTTPResponse(file, **headers)
+            # 3.0.4
+            session[filename] = None
+            if file is None:
+                # This happens when the file is requested more than once!
+                raise HTTPError(404)
+            else:
+                headers = {'Content-Type': 'application/javascript; charset=UTF-8'}
+                return HTTPResponse(file, **headers)
 
         elif filename == 'bootstrap.js':
             return static_file(bootstrapJS, root=bootstrapDir + '/js', mimetype='text/javascript')