Mercurial > p > roundup > code

diff roundup/cgi/client.py @ 2366:1d46cd2f83f6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix security hole in serve_static_file
author Richard Jones <richard@users.sourceforge.net>
date Thu, 27 May 2004 21:53:44 +0000
parents 297e46e22e04
children 76ead526113d
line wrap: on
line diff
--- a/roundup/cgi/client.py	Wed May 26 10:00:53 2004 +0000
+++ b/roundup/cgi/client.py	Thu May 27 21:53:44 2004 +0000
@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.177 2004-05-11 13:32:05 a1s Exp $
+# $Id: client.py,v 1.178 2004-05-27 21:51:43 richard Exp $
 
 """WWW request handler (also used in the stand-alone server).
 """
@@ -519,7 +519,13 @@
     def serve_static_file(self, file):
         ''' Serve up the file named from the templates dir
         '''
-        filename = os.path.join(self.instance.config.TEMPLATES, file)
+        # figure the filename - ensure the load doesn't try to poke
+        # outside of the static files dir
+        prefix = getattr(self.instance.config, 'STATIC_FILES',
+            self.instance.config.TEMPLATES)
+        filename = os.path.normpath(os.path.join(prefix, file))
+        if not filename.startswith(prefix):
+            raise NotFound, file
 
         # last-modified time
         lmt = os.stat(filename)[stat.ST_MTIME]
Roundup Issue Tracker: http://roundup-tracker.org/