fix security hole in serve_static_file

Richard Jones · Richard Jones · commit bbc7441f79e6 · 2004-05-27T21:53:44.000Z
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -8,14 +8,16 @@ Feature:
 - implement __nonzero__ for HTMLProperty
 
 
-2004-05-?? 0.7.3
+2004-05-28 0.7.3
 Fixed:
 - add "checked" to truth values for Boolean input
 - fixed import in metakit backend
 - fix SearchAction use of Class.filter(), and clarify API docs for same
+- ensure static files may only be served out of the tracker's "static
+  files" directory
 
 
-2004-05-?? 0.7.2
+2004-05-17 0.7.2
 Fixed:
 - anydbm sorting with None values (sf bug 952853)
 - roundup-server -g option not recognised (sf bug 952310)
@@ -200,7 +202,14 @@ Cleanup:
     class
 
 
-2004-??-?? 0.6.9
+2004-05-17 0.6.10
+Fixed:
+- mysql backend wasn't locking tracker
+- ensure static files may only be served out of the tracker's "static
+  files" directory
+
+
+2004-04-18 0.6.9
 Fixed:
 - paging in classhelp popup was broken
 - socket timeout error logging can fail
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.177 2004-05-11 13:32:05 a1s Exp $
+# $Id: client.py,v 1.178 2004-05-27 21:51:43 richard Exp $
 
 """WWW request handler (also used in the stand-alone server).
 """
@@ -519,7 +519,13 @@ def serve_file(self, designator, dre=re.compile(r'([^\d]+)(\d+)')):
     def serve_static_file(self, file):
         ''' Serve up the file named from the templates dir
         '''
-        filename = os.path.join(self.instance.config.TEMPLATES, file)
+        # figure the filename - ensure the load doesn't try to poke
+        # outside of the static files dir
+        prefix = getattr(self.instance.config, 'STATIC_FILES',
+            self.instance.config.TEMPLATES)
+        filename = os.path.normpath(os.path.join(prefix, file))
+        if not filename.startswith(prefix):
+            raise NotFound, file
 
         # last-modified time
         lmt = os.stat(filename)[stat.ST_MTIME]
