Fix a security vulnerability that allowed maliciously crafted URLs to break out of the root server directory.
This commit is contained in:
parent
ff2832f034
commit
50bde8b7f2
11
CHANGELOG.md
11
CHANGELOG.md
|
@ -2,11 +2,16 @@
|
|||
|
||||
### Unreleased
|
||||
|
||||
### v0.2.2 (2012-03-31)
|
||||
### v0.2.3 (2020-05-24)
|
||||
|
||||
- Fix a security vulnerability that allowed maliciously crafted URLs to break
|
||||
out of the root server directory.
|
||||
|
||||
### v0.2.2 (2020-03-31)
|
||||
|
||||
- Fix a regression in path matching for the static directory application.
|
||||
|
||||
### v0.2.1 (2012-03-31)
|
||||
### v0.2.1 (2020-03-31)
|
||||
|
||||
- A hostname can now be specified in the route pattern, to facilitate running
|
||||
multiple vhosts on a single jetforce server.
|
||||
|
@ -17,7 +22,7 @@
|
|||
- Added the following CGI variables for client certificates:
|
||||
TLS_CLIENT_NOT_BEFORE, TLS_CLIENT_NOT_AFTER, TLS_CLIENT_SERIAL_NUMBER
|
||||
|
||||
### v0.2.0 (2012-01-21)
|
||||
### v0.2.0 (2020-01-21)
|
||||
|
||||
#### Features
|
||||
|
||||
|
|
|
@ -298,7 +298,7 @@ class StaticDirectoryApplication(JetforceApplication):
|
|||
url_path = pathlib.Path(request.path.strip("/"))
|
||||
|
||||
filename = pathlib.Path(os.path.normpath(str(url_path)))
|
||||
if filename.is_absolute() or str(filename.name).startswith(".."):
|
||||
if filename.is_absolute() or str(filename).startswith(".."):
|
||||
# Guard against breaking out of the directory
|
||||
return Response(Status.NOT_FOUND, "Not Found")
|
||||
|
||||
|
|
Loading…
Reference in New Issue