From 9889ac5b4adc8ab65b099e85db13afa20feda7ac Mon Sep 17 00:00:00 2001
From: virusdefender <virusdefender@outlook.com>
Date: Fri, 24 Nov 2017 23:29:40 +0800
Subject: [PATCH] fix directory traversal

---
 account/views/admin.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/account/views/admin.py b/account/views/admin.py
index f0b93c6..3e8fb47 100644
--- a/account/views/admin.py
+++ b/account/views/admin.py
@@ -150,7 +150,7 @@ class GenerateUserAPI(APIView):
         file_id = request.GET.get("file_id")
         if not file_id:
             return self.error("Invalid Parameter, file_id is required")
-        if not re.match(r"[a-zA-Z0-9]+", file_id):
+        if not re.match(r"^[a-zA-Z0-9]+$", file_id):
             return self.error("Illegal file_id")
         file_path = f"/tmp/{file_id}.xlsx"
         if not os.path.isfile(file_path):