Fix a security vulnerability that allowed maliciously crafted URLs to break out of the root server directory.

2020-05-24 21:29:19 -04:00 · 2020-05-24 21:29:19 -04:00 · 50bde8b7f2
parent ff2832f034
commit 50bde8b7f2
2 changed files with 9 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,11 +2,16 @@

 ### Unreleased

-### v0.2.2 (2012-03-31)
+### v0.2.3 (2020-05-24)
+
+- Fix a security vulnerability that allowed maliciously crafted URLs to break
+  out of the root server directory.
+
+### v0.2.2 (2020-03-31)

 - Fix a regression in path matching for the static directory application.
  
-### v0.2.1 (2012-03-31)
+### v0.2.1 (2020-03-31)

 - A hostname can now be specified in the route pattern, to facilitate running
  multiple vhosts on a single jetforce server.
@ -17,7 +22,7 @@
 - Added the following CGI variables for client certificates:
  TLS_CLIENT_NOT_BEFORE, TLS_CLIENT_NOT_AFTER, TLS_CLIENT_SERIAL_NUMBER

-### v0.2.0 (2012-01-21)
+### v0.2.0 (2020-01-21)

 #### Features

--- a/jetforce.py
+++ b/jetforce.py
@ -298,7 +298,7 @@ class StaticDirectoryApplication(JetforceApplication):
        url_path = pathlib.Path(request.path.strip("/"))

        filename = pathlib.Path(os.path.normpath(str(url_path)))
-        if filename.is_absolute() or str(filename.name).startswith(".."):
+        if filename.is_absolute() or str(filename).startswith(".."):
            # Guard against breaking out of the directory
            return Response(Status.NOT_FOUND, "Not Found")