Skip to content

Commit

Permalink
fix security hole in serve_static_file
Browse files Browse the repository at this point in the history
  • Loading branch information
Richard Jones committed May 27, 2004
1 parent e701212 commit 671a2fe
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 3 deletions.
11 changes: 10 additions & 1 deletion CHANGES.txt
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ Fixed:
- add "checked" to truth values for Boolean input
- fixed import in metakit backend
- fix SearchAction use of Class.filter(), and clarify API docs for same
- ensure static files may only be served out of the tracker's "static
files" directory


2004-05-17 0.7.2
Expand Down Expand Up @@ -193,7 +195,14 @@ Cleanup:
class


2004-??-?? 0.6.9
2004-05-17 0.6.10
Fixed:
- mysql backend wasn't locking tracker
- ensure static files may only be served out of the tracker's "static
files" directory


2004-04-18 0.6.9
Fixed:
- paging in classhelp popup was broken
- socket timeout error logging can fail
Expand Down
10 changes: 8 additions & 2 deletions roundup/cgi/client.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# $Id: client.py,v 1.176 2004-05-04 05:56:54 richard Exp $
# $Id: client.py,v 1.176.2.1 2004-05-27 21:52:44 richard Exp $

"""WWW request handler (also used in the stand-alone server).
"""
Expand Down Expand Up @@ -455,7 +455,13 @@ def serve_file(self, designator, dre=re.compile(r'([^\d]+)(\d+)')):
def serve_static_file(self, file):
''' Serve up the file named from the templates dir
'''
filename = os.path.join(self.instance.config.TEMPLATES, file)
# figure the filename - ensure the load doesn't try to poke
# outside of the static files dir
prefix = getattr(self.instance.config, 'STATIC_FILES',
self.instance.config.TEMPLATES)
filename = os.path.normpath(os.path.join(prefix, file))
if not filename.startswith(prefix):
raise NotFound, file

# last-modified time
lmt = os.stat(filename)[stat.ST_MTIME]
Expand Down

0 comments on commit 671a2fe

Please sign in to comment.