From ccee54b448b2434900c8ba12e13c2384421d3f93 Mon Sep 17 00:00:00 2001
From: Michael Lazar <mlazar@doctorondemand.com>
Date: Tue, 6 Aug 2019 10:35:03 -0400
Subject: [PATCH] Better solution for isolating directory that handles relative
 links

---
 jetforce.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/jetforce.py b/jetforce.py
index 29ab9f5..bac9b4a 100644
--- a/jetforce.py
+++ b/jetforce.py
@@ -3,6 +3,7 @@ import argparse
 import asyncio
 import datetime
 import mimetypes
+import os
 import pathlib
 import ssl
 import subprocess
@@ -91,14 +92,14 @@ class StaticDirectoryApp:
 
     def __iter__(self) -> typing.Iterator[bytes]:
         url_path = pathlib.Path(self.environ["PATH_INFO"].strip("/"))
-        filesystem_path = (self.root / url_path).resolve()
 
-        try:
-            filesystem_path.relative_to(self.root)
-        except ValueError:
+        filename = pathlib.Path(os.path.normpath(str(url_path)))
+        if filename.is_absolute() or filename.parts[0] == "..":
             # Guard against breaking out of the directory
             self.send_status(STATUS_NOT_FOUND, "Not Found")
             return
+        else:
+            filesystem_path = self.root / filename
 
         if filesystem_path.is_file():
             mimetype = self.guess_mimetype(filesystem_path.name)