Mercurial > p > roundup > code
changeset 2656:b386e8811932 maint-0.7
merge from HEAD
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Mon, 02 Aug 2004 22:42:55 +0000 |
| parents | eaf74cf96cfa |
| children | d3a8613fd8c3 |
| files | CHANGES.txt roundup/cgi/client.py |
| diffstat | 2 files changed, 5 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Thu Jul 22 04:46:11 2004 +0000 +++ b/CHANGES.txt Mon Aug 02 22:42:55 2004 +0000 @@ -6,7 +6,7 @@ - ZRoundup's search interface works now (sf bug 994957) - fixed history display when "ascending" - removed references to py2.3+ boolean values (sf bug 995682) - +- fix static file path normalisation in security check (thanks David Linke) 2004-07-21 0.7.6 Fixed:
--- a/roundup/cgi/client.py Thu Jul 22 04:46:11 2004 +0000 +++ b/roundup/cgi/client.py Mon Aug 02 22:42:55 2004 +0000 @@ -1,4 +1,4 @@ -# $Id: client.py,v 1.176.2.3 2004-07-20 02:10:43 richard Exp $ +# $Id: client.py,v 1.176.2.4 2004-08-02 22:42:55 richard Exp $ """WWW request handler (also used in the stand-alone server). """ @@ -460,6 +460,9 @@ # outside of the static files dir prefix = getattr(self.instance.config, 'STATIC_FILES', self.instance.config.TEMPLATES) + + # normalise the prefix and filename for the startswith comparison + prefix = os.path.normpath(prefix) filename = os.path.normpath(os.path.join(prefix, file)) if not filename.startswith(prefix): raise NotFound, file