Mercurial > hg > FileServer
diff fileserver/web.py @ 17:27bd18f0a359
fix up security hole
| author | Jeff Hammel <jhammel@mozilla.com> |
|---|---|
| date | Wed, 29 Feb 2012 16:01:38 -0800 |
| parents | e3993fa05b89 |
| children | 1eb5e82605a5 |
line wrap: on
line diff
--- a/fileserver/web.py Wed Feb 29 15:47:24 2012 -0800 +++ b/fileserver/web.py Wed Feb 29 16:01:38 2012 -0800 @@ -49,6 +49,15 @@ def normpath(path): return os.path.normcase(os.path.abspath(path)) + def check_path(self, path): + """ + if under the root directory, returns the full path + otherwise, returns None + """ + path = self.normpath(path) + if path == self.directory or path.startswith(self.directory + os.path.sep): + return path + def index(self, directory): """ generate a directory listing for a given directory @@ -69,9 +78,9 @@ if not path_info: response = exc.HTTPMovedPermanently(add_slash=True) return response(environ, start_response) - full = self.normpath(os.path.join(self.directory, path_info.strip('/'))) + full = self.check_path(os.path.join(self.directory, path_info.strip('/'))) - if not full.startswith(self.directory): + if full is None: # Out of bounds return exc.HTTPNotFound()(environ, start_response) if not os.path.exists(full):