FileServer: fileserver/web.py comparison

fix up security hole

author	Jeff Hammel <jhammel@mozilla.com>
date	Wed, 29 Feb 2012 16:01:38 -0800
parents	e3993fa05b89
children	1eb5e82605a5

comparison

equal deleted inserted replaced

-:4f26df21dc12
+:27bd18f0a359
 @staticmethod
 def normpath(path):
 return os.path.normcase(os.path.abspath(path))
+def check_path(self, path):
+"""
+if under the root directory, returns the full path
+otherwise, returns None
+"""
+path = self.normpath(path)
+if path == self.directory or path.startswith(self.directory + os.path.sep):
+return path
 def index(self, directory):
 """
 generate a directory listing for a given directory
 """
 parts = ['<html><head><title>Simple Index</title></head><body>']
 # TODO method_not_allowed: Allow: GET, HEAD
 path_info = request.path_info
 if not path_info:
 response = exc.HTTPMovedPermanently(add_slash=True)
 return response(environ, start_response)
-full = self.normpath(os.path.join(self.directory, path_info.strip('/')))
+full = self.check_path(os.path.join(self.directory, path_info.strip('/')))
-if not full.startswith(self.directory):
+if full is None:
 # Out of bounds
 return exc.HTTPNotFound()(environ, start_response)
 if not os.path.exists(full):
 return exc.HTTPNotFound()(environ, start_response)

Mercurial > hg > FileServer