fix static file path normalisation in security check (thanks David Linke)

Author: Richard Jones

CHANGES.txt

@@ -32,7 +32,7 @@ Fixed:
 - ZRoundup's search interface works now (sf bug 994957)
 - fixed history display when "ascending"
 - removed references to py2.3+ boolean values (sf bug 995682)
-
+- fix static file path normalisation in security check (thanks David Linke)
 
 
 2004-07-21 0.7.6

TODO.txt

@@ -11,10 +11,14 @@ Required:
 - fix admin_guide referring to structure of trackers
 - add config.ini section descriptions
 - review use of hasPermission etc. in classic template
+- how to override Client class methods like determine_user?
 
 
 Optionally:
 - have rdbms backends look up the journal for actor if it's not set
 - migrate to numeric ID values (fixes bug 817217)
 - configuration editing in Web User Interface: core config,
   standalone server config, detectors and extensions configurations
+- refactor backends to have a common Database class that manages them all,
+  allowing different Class implementations from differen backends in the
+  one tracker

roundup/cgi/client.py

@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.186 2004-07-28 02:29:45 richard Exp $
+# $Id: client.py,v 1.187 2004-08-02 22:41:12 richard Exp $
 
 """WWW request handler (also used in the stand-alone server).
 """
@@ -540,6 +540,9 @@ def serve_static_file(self, file):
         # outside of the static files dir
         prefix = getattr(self.instance.config, 'STATIC_FILES',
             self.instance.config.TEMPLATES)
+
+        # normalise the prefix and filename for the startswith comparison
+        prefix = os.path.normpath(prefix)
         filename = os.path.normpath(os.path.join(prefix, file))
         if not filename.startswith(prefix):
             raise NotFound, file