Mercurial > p > roundup > code

diff roundup/cgi/client.py @ 2368:7a2e55a59928 maint-0.7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix security hole in serve_static_file
author Richard Jones <richard@users.sourceforge.net>
date Thu, 27 May 2004 21:53:44 +0000
parents cd7e6d6288c6
children 3af075731c43
line wrap: on
line diff
--- a/roundup/cgi/client.py	Sun May 23 23:26:30 2004 +0000
+++ b/roundup/cgi/client.py	Thu May 27 21:53:44 2004 +0000
@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.176 2004-05-04 05:56:54 richard Exp $
+# $Id: client.py,v 1.176.2.1 2004-05-27 21:52:44 richard Exp $
 
 """WWW request handler (also used in the stand-alone server).
 """
@@ -455,7 +455,13 @@
     def serve_static_file(self, file):
         ''' Serve up the file named from the templates dir
         '''
-        filename = os.path.join(self.instance.config.TEMPLATES, file)
+        # figure the filename - ensure the load doesn't try to poke
+        # outside of the static files dir
+        prefix = getattr(self.instance.config, 'STATIC_FILES',
+            self.instance.config.TEMPLATES)
+        filename = os.path.normpath(os.path.join(prefix, file))
+        if not filename.startswith(prefix):
+            raise NotFound, file
 
         # last-modified time
         lmt = os.stat(filename)[stat.ST_MTIME]
Roundup Issue Tracker: http://roundup-tracker.org/