# HG changeset patch
# User paulb
# Date 1116607176 0
# Node ID 306575a55a06a5fed62bd700a73fa3bfd5f228fe
# Parent  81b6b0717b317051dccc5808d8001dcb2b3eba54
[project @ 2005-05-20 16:39:36 by paulb]
Added a fix for potential relative path exploits.

diff -r 81b6b0717b31 -r 306575a55a06 WebStack/Resources/Static.py
--- a/WebStack/Resources/Static.py	Mon May 02 18:52:52 2005 +0000
+++ b/WebStack/Resources/Static.py	Fri May 20 16:39:36 2005 +0000
@@ -45,8 +45,8 @@
 
         # Test for the file's existence.
 
-        pathname = os.path.join(self.directory, filename)
-        if not (os.path.exists(pathname) and os.path.isfile(pathname)):
+        pathname = os.path.abspath(os.path.join(self.directory, filename))
+        if not (pathname.startswith(os.path.join(self.directory, "/")) and os.path.exists(pathname) and os.path.isfile(pathname)):
             trans.set_response_code(404)
             trans.set_content_type(ContentType("text/plain"))
             out.write("Resource '%s' not found." % filename)