Mercurial > p > roundup > code
comparison roundup/cgi/client.py @ 2368:7a2e55a59928 maint-0.7
fix security hole in serve_static_file
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Thu, 27 May 2004 21:53:44 +0000 |
| parents | cd7e6d6288c6 |
| children | 3af075731c43 |
comparison
equal
deleted
inserted
replaced
| 2363:c69b67905043 | 2368:7a2e55a59928 |
|---|---|
| 1 # $Id: client.py,v 1.176 2004-05-04 05:56:54 richard Exp $ | 1 # $Id: client.py,v 1.176.2.1 2004-05-27 21:52:44 richard Exp $ |
| 2 | 2 |
| 3 """WWW request handler (also used in the stand-alone server). | 3 """WWW request handler (also used in the stand-alone server). |
| 4 """ | 4 """ |
| 5 __docformat__ = 'restructuredtext' | 5 __docformat__ = 'restructuredtext' |
| 6 | 6 |
| 453 self._serve_file(lmt, mime_type, content) | 453 self._serve_file(lmt, mime_type, content) |
| 454 | 454 |
| 455 def serve_static_file(self, file): | 455 def serve_static_file(self, file): |
| 456 ''' Serve up the file named from the templates dir | 456 ''' Serve up the file named from the templates dir |
| 457 ''' | 457 ''' |
| 458 filename = os.path.join(self.instance.config.TEMPLATES, file) | 458 # figure the filename - ensure the load doesn't try to poke |
| 459 # outside of the static files dir | |
| 460 prefix = getattr(self.instance.config, 'STATIC_FILES', | |
| 461 self.instance.config.TEMPLATES) | |
| 462 filename = os.path.normpath(os.path.join(prefix, file)) | |
| 463 if not filename.startswith(prefix): | |
| 464 raise NotFound, file | |
| 459 | 465 |
| 460 # last-modified time | 466 # last-modified time |
| 461 lmt = os.stat(filename)[stat.ST_MTIME] | 467 lmt = os.stat(filename)[stat.ST_MTIME] |
| 462 | 468 |
| 463 # detemine meta-type | 469 # detemine meta-type |