Skip to content
Permalink
Browse files Browse the repository at this point in the history
Contain directory traversal for static files to host static root.
  • Loading branch information
dannon committed Dec 5, 2022
1 parent 7136d72 commit e5e6bda
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion lib/galaxy/web/framework/middleware/static.py
Expand Up @@ -38,7 +38,11 @@ def __call__(self, environ, start_response):
directory = host_val
break

full = os.path.join(directory, filename)
full = self.normpath(os.path.join(directory, filename))
if not full.startswith(directory):
# Out of bounds
return self.not_found(environ, start_response)

if not os.path.exists(full):
return self.not_found(environ, start_response)
if os.path.isdir(full):
Expand Down

0 comments on commit e5e6bda

Please sign in to comment.