From afd51e0823524eec683b226a20f40d958253064f Mon Sep 17 00:00:00 2001 From: lazydog Date: Fri, 14 Apr 2017 02:55:39 +0800 Subject: [PATCH 1/2] fix directory traversal flaw --- sanic/static.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sanic/static.py b/sanic/static.py index adbdd0ea93..3f95253c1e 100644 --- a/sanic/static.py +++ b/sanic/static.py @@ -48,14 +48,18 @@ async def _handler(request, file_uri=None): # Merge served directory and requested file if provided # Strip all / that in the beginning of the URL to help prevent python # from herping a derp and treating the uri as an absolute path - file_path = file_or_directory + root_path = file_or_directory if file_uri: file_path = path.join( file_or_directory, sub('^[/]*', '', file_uri)) # URL decode the path sent by the browser otherwise we won't be able to # match filenames which got encoded (filenames with spaces etc) - file_path = unquote(file_path) + file_path = path.abspath(unquote(file_path)) + if not file_path.startswith(root_path): + raise FileNotFound('File not found', + path=file_or_directory, + relative_url=file_uri) try: headers = {} # Check if the client has been sent this file before From ae09dec05e10816b37eed425c87e193d230c5a73 Mon Sep 17 00:00:00 2001 From: lazydog Date: Fri, 14 Apr 2017 03:38:55 +0800 Subject: [PATCH 2/2] fixed `UnboundLocalError` --- sanic/static.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sanic/static.py b/sanic/static.py index 3f95253c1e..24fce4ff67 100644 --- a/sanic/static.py +++ b/sanic/static.py @@ -48,7 +48,7 @@ async def _handler(request, file_uri=None): # Merge served directory and requested file if provided # Strip all / that in the beginning of the URL to help prevent python # from herping a derp and treating the uri as an absolute path - root_path = file_or_directory + root_path = file_path = file_or_directory if file_uri: file_path = path.join( file_or_directory, sub('^[/]*', '', file_uri))