fix security hole in serve_static_file

Richard Jones · Richard Jones · commit 671a2fe8dac0 · 2004-05-27T21:53:44.000Z
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -6,6 +6,8 @@ Fixed:
 - add "checked" to truth values for Boolean input
 - fixed import in metakit backend
 - fix SearchAction use of Class.filter(), and clarify API docs for same
+- ensure static files may only be served out of the tracker's "static
+  files" directory
 
 
 2004-05-17 0.7.2
@@ -193,7 +195,14 @@ Cleanup:
     class
 
 
-2004-??-?? 0.6.9
+2004-05-17 0.6.10
+Fixed:
+- mysql backend wasn't locking tracker
+- ensure static files may only be served out of the tracker's "static
+  files" directory
+
+
+2004-04-18 0.6.9
 Fixed:
 - paging in classhelp popup was broken
 - socket timeout error logging can fail
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.176 2004-05-04 05:56:54 richard Exp $
+# $Id: client.py,v 1.176.2.1 2004-05-27 21:52:44 richard Exp $
 
 """WWW request handler (also used in the stand-alone server).
 """
@@ -455,7 +455,13 @@ def serve_file(self, designator, dre=re.compile(r'([^\d]+)(\d+)')):
     def serve_static_file(self, file):
         ''' Serve up the file named from the templates dir
         '''
-        filename = os.path.join(self.instance.config.TEMPLATES, file)
+        # figure the filename - ensure the load doesn't try to poke
+        # outside of the static files dir
+        prefix = getattr(self.instance.config, 'STATIC_FILES',
+            self.instance.config.TEMPLATES)
+        filename = os.path.normpath(os.path.join(prefix, file))
+        if not filename.startswith(prefix):
+            raise NotFound, file
 
         # last-modified time
         lmt = os.stat(filename)[stat.ST_MTIME]
