Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Fix static mounts using relative paths and prevent traversal exploits #554
While debugging why my static mounts using a relative path (
The reason is that datasette tries to prevent traversal exploits by checking if the path is relative to its registered directory. This check fails when the mount is a relative directory, because
This also has the consequence of returning any requested file, because when
I've implemented the mentioned changes and also updated the tests.
referenced this pull request
Jul 9, 2019
I wanted to add a test for it too, but I've realized it's impossible to test a server process as we cannot get its exit code.
# tests/test_cli.py def test_static_mounts_on_windows(): if sys.platform != "win32": return runner = CliRunner() result = runner.invoke( cli, ["serve", "--static", r"s:C:\\"] ) assert result.exit_code == 0
Thanks for this!
The tests are failing for Python 3.5 right now which is strange. https://travis-ci.org/simonw/datasette/jobs/556272017
One failure looks like this:
Maybe an exception was renamed between 3.5 and 3.6?
Released as 0.29.1: https://datasette.readthedocs.io/en/latest/changelog.html#v0-29-1