Commits

Robert Brewer  committed 6197341

Test for staticfilter uplevel security, plus a more-informative error if staticfilter can't obtain an absolute path.

  • Participants
  • Parent commits 60e23de

Comments (0)

Files changed (2)

File cherrypy/filters/staticfilter.py

             extraPath = urllib.unquote(extraPath)
             # If extraPath is "", filename will end in a slash
             if '..' in extraPath:
-                # Disallow '..' (secutiry flaw)
+                # Disallow '..' (security flaw)
                 raise cherrypy.HTTPError(403) # Forbidden
             filename = os.path.join(staticDir, extraPath)
         
         # a relative path to serveFile.
         if not os.path.isabs(filename):
             root = config.get('static_filter.root', '').rstrip(r"\/")
-            if root:
-                filename = os.path.join(root, filename)
+            if not root:
+                msg = ("StaticFilter requires an absolute final path. "
+                       "Make static_filter.dir, .file, or .root absolute.")
+                raise cherrypy.WrongConfigValue(msg)
+            filename = os.path.join(root, filename)
         
         try:
             cptools.serveFile(filename)

File cherrypy/test/test_static_filter.py

         self.assertInBody("WrongConfigValue: StaticFilter requires either "
                           "static_filter.file or static_filter.dir "
                           "(/error/thing.html)")
+        
+        # Test up-level security
+        self.getPage("/static/../style.css")
+        self.assertStatus('403 Forbidden')
 
 
 if __name__ == "__main__":