Mercurial > p > roundup > code

diff roundup/cgi/client.py @ 2655:edaa8ba86bd0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix static file path normalisation in security check (thanks David Linke)
author Richard Jones <richard@users.sourceforge.net>
date Mon, 02 Aug 2004 22:41:12 +0000
parents 1df7d4a41da4
children 7b1c440dba92
line wrap: on
line diff
--- a/roundup/cgi/client.py	Wed Jul 28 09:46:58 2004 +0000
+++ b/roundup/cgi/client.py	Mon Aug 02 22:41:12 2004 +0000
@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.186 2004-07-28 02:29:45 richard Exp $
+# $Id: client.py,v 1.187 2004-08-02 22:41:12 richard Exp $
 
 """WWW request handler (also used in the stand-alone server).
 """
@@ -540,6 +540,9 @@
         # outside of the static files dir
         prefix = getattr(self.instance.config, 'STATIC_FILES',
             self.instance.config.TEMPLATES)
+
+        # normalise the prefix and filename for the startswith comparison
+        prefix = os.path.normpath(prefix)
         filename = os.path.normpath(os.path.join(prefix, file))
         if not filename.startswith(prefix):
             raise NotFound, file
Roundup Issue Tracker: http://roundup-tracker.org/