Fix a security vulnerability that allowed maliciously crafted URLs to break out of the root server directory.

This commit is contained in:
Michael Lazar 2020-05-24 21:29:19 -04:00
parent ff2832f034
commit 50bde8b7f2
2 changed files with 9 additions and 4 deletions

View File

@ -2,11 +2,16 @@
### Unreleased
### v0.2.2 (2012-03-31)
### v0.2.3 (2020-05-24)
- Fix a security vulnerability that allowed maliciously crafted URLs to break
out of the root server directory.
### v0.2.2 (2020-03-31)
- Fix a regression in path matching for the static directory application.
### v0.2.1 (2012-03-31)
### v0.2.1 (2020-03-31)
- A hostname can now be specified in the route pattern, to facilitate running
multiple vhosts on a single jetforce server.
@ -17,7 +22,7 @@
- Added the following CGI variables for client certificates:
TLS_CLIENT_NOT_BEFORE, TLS_CLIENT_NOT_AFTER, TLS_CLIENT_SERIAL_NUMBER
### v0.2.0 (2012-01-21)
### v0.2.0 (2020-01-21)
#### Features

View File

@ -298,7 +298,7 @@ class StaticDirectoryApplication(JetforceApplication):
url_path = pathlib.Path(request.path.strip("/"))
filename = pathlib.Path(os.path.normpath(str(url_path)))
if filename.is_absolute() or str(filename.name).startswith(".."):
if filename.is_absolute() or str(filename).startswith(".."):
# Guard against breaking out of the directory
return Response(Status.NOT_FOUND, "Not Found")