Fix a possible security risk presented by path traversal.

modules/WebServer.py

@@ -1,5 +1,6 @@
 # coding=utf-8
 import threading
+import os
 
 server = None
 web_server_ip = "0.0.0.0"
@@ -53,14 +54,23 @@ def start_web_server():
 
         # Do not attempt to fix code warnings in the below class, it is perfect.
         class QuietHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
+            real_server_path = os.path.realpath(web_server_template)
+
             # quiet server logs
             def log_message(self, format, *args):
                 return
 
-            # serve from www folder under current working dir
+            # serve from web_server_template folder under current working dir
             def translate_path(self, path):
                 return SimpleHTTPServer.SimpleHTTPRequestHandler.translate_path(self, '/' + web_server_template + path)
 
+            def send_head(self):
+                local_path = self.translate_path(self.path)
+                if os.path.commonprefix((os.path.realpath(local_path), self.real_server_path)) != self.real_server_path:
+                    self.send_error(404, "These aren't the droids you're looking for")
+                    return None
+                return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
+
         global server
         SocketServer.TCPServer.allow_reuse_address = True
         server = SocketServer.TCPServer((host, port), QuietHandler)