Like this? + rel = os.path.abspath(os.path.join(self.server.root, path)) + if not rel.startswith(os.path.abspath(self.server.root) ):
On Oct 12, 2012, at 2:09 PM, Matt Beaumont-Gay <[email protected]> wrote: > On Fri, Oct 12, 2012 at 2:04 PM, Ted Kremenek <[email protected]> wrote: >> I'm not very familiar with Python, but would this do what you suggest: >> >> def send_path(self, path): >> # If the requested path is outside the root directory, do not open it >> - rel = os.path.relpath(path, self.server.root) >> - if rel.startswith(os.pardir + os.sep): >> + rel = os.path.abspath(os.path.relpath(path, self.server.root)) > > The argument to abspath should be 'os.path.join(self.server.root, > path)', since the relpath would be interpreted relative to the server > process's cwd. LGTM otherwise. > >> + if not rel.startswith(os.path.abspath(self.server.root)): >> return self.send_404() >> >> On Oct 12, 2012, at 1:49 PM, Matt Beaumont-Gay <[email protected]> wrote: >> >>> Comment from the peanut gallery: I'm totally unfamiliar with this >>> code, but this patch makes my hacker sense tingle. I can't immediately >>> come up with a way to break it, but I'd believe in this code more if >>> it called os.path.abspath and checked that the result has >>> self.server.root as a prefix. >>> >>> On Fri, Oct 12, 2012 at 12:16 PM, Ted Kremenek <[email protected]> wrote: >>>> Author: kremenek >>>> Date: Fri Oct 12 14:16:31 2012 >>>> New Revision: 165815 >>>> >>>> URL: http://llvm.org/viewvc/llvm-project?rev=165815&view=rev >>>> Log: >>>> Have scan-view guard against serving up pages outside the root directory. >>>> >>>> Modified: >>>> cfe/trunk/tools/scan-view/ScanView.py >>>> >>>> Modified: cfe/trunk/tools/scan-view/ScanView.py >>>> URL: >>>> http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/scan-view/ScanView.py?rev=165815&r1=165814&r2=165815&view=diff >>>> ============================================================================== >>>> --- cfe/trunk/tools/scan-view/ScanView.py (original) >>>> +++ cfe/trunk/tools/scan-view/ScanView.py Fri Oct 12 14:16:31 2012 >>>> @@ -707,6 +707,11 @@ >>>> return None >>>> >>>> def send_path(self, path): >>>> + # If the requested path is outside the root directory, do not >>>> open it >>>> + rel = os.path.relpath(path, self.server.root) >>>> + if rel.startswith(os.pardir + os.sep): >>>> + return self.send_404() >>>> + >>>> ctype = self.guess_type(path) >>>> if ctype.startswith('text/'): >>>> # Patch file instead >>>> >>>> >>>> _______________________________________________ >>>> cfe-commits mailing list >>>> [email protected] >>>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits >> _______________________________________________ cfe-commits mailing list [email protected] http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
