Changeset 922

Timestamp:

01/10/06 15:47:24

Author:

fumanchu

Message:

A more inclusive, os-level check for staticfilter uplevel attacks.

Files:

• trunk/cherrypy/filters/staticfilter.py (modified) (4 diffs)

trunk/cherrypy/filters/staticfilter.py

@@ -24 +24 @@
-                return
-        
+        root = config.get('static_filter.root', '').rstrip(r"\/")
-        filename = config.get('static_filter.file')
-
+
+
+
-            staticDir = config.get('static_filter.dir')
-            if not staticDir:
@@ -39 +42 @@
-            extraPath = urllib.unquote(extraPath)
-            # If extraPath is "", filename will end in a slash
-            if '..' in extraPath:
-                # Disallow '..' (security flaw)
-                raise cherrypy.HTTPError(403) # Forbidden
-            filename = os.path.join(staticDir, extraPath)
-        
@@ -48 +48 @@
-        # a relative path to serveFile.
-        if not os.path.isabs(filename):
-            root = config.get('static_filter.root', '').rstrip(r"\/")
-            if not root:
-                msg = ("StaticFilter requires an absolute final path. "
@@ -55 +54 @@
-            filename = os.path.join(root, filename)
-        
+        # If we used static_filter.dir, then there's a chance that the
+        # extraPath pulled from the URL might have ".." or similar uplevel
+        # attacks in it. Check that the final file is a child of staticDir.
+        # Note that we do not check static_filter.file--that can point
+        # anywhere (since it does not use the request URL).
+        if staticDir:
+            if not os.path.isabs(staticDir):
+                staticDir = os.path.join(root, staticDir)
+            if not os.path.normpath(filename).startswith(os.path.normpath(staticDir)):
+                raise cherrypy.HTTPError(403) # Forbidden
+            
-        try:
-            cptools.serveFile(filename)