Commits

Remi Delon  committed 60e23de

Patch for serious security flaw in staticfilter

  • Participants
  • Parent commits bab5d1e

Comments (0)

Files changed (2)

File cherrypy/_cputil.py

         f.close()
 
 
-_HTTPErrorTemplate = '''<html>
+_HTTPErrorTemplate = '''<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html>
 <head>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
     <title>%(status)s</title>
     <style type="text/css">
-    #poweredBy {
+    #powered_by {
         margin-top: 20px;
         border-top: 2px solid black;
         font-style: italic;
         <h2>%(status)s</h2>
         <p>%(message)s</p>
         <pre id="traceback">%(traceback)s</pre>
-    <div id="poweredBy">
+    <div id="powered_by">
     <span>Powered by <a href="http://www.cherrypy.org">CherryPy %(version)s</a></span>
     </div>
     </body>

File cherrypy/filters/staticfilter.py

             extraPath = extraPath.lstrip(r"\/")
             extraPath = urllib.unquote(extraPath)
             # If extraPath is "", filename will end in a slash
+            if '..' in extraPath:
+                # Disallow '..' (secutiry flaw)
+                raise cherrypy.HTTPError(403) # Forbidden
             filename = os.path.join(staticDir, extraPath)
         
         # If filename is relative, make absolute using "root".