Robert Brewer committed 6197341

Test for staticfilter uplevel security, plus a more-informative error if staticfilter can't obtain an absolute path.

Comments (0)

Files changed (2)


             extraPath = urllib.unquote(extraPath)
             # If extraPath is "", filename will end in a slash
             if '..' in extraPath:
-                # Disallow '..' (secutiry flaw)
+                # Disallow '..' (security flaw)
                 raise cherrypy.HTTPError(403) # Forbidden
             filename = os.path.join(staticDir, extraPath)
         # a relative path to serveFile.
         if not os.path.isabs(filename):
             root = config.get('static_filter.root', '').rstrip(r"\/")
-            if root:
-                filename = os.path.join(root, filename)
+            if not root:
+                msg = ("StaticFilter requires an absolute final path. "
+                       "Make static_filter.dir, .file, or .root absolute.")
+                raise cherrypy.WrongConfigValue(msg)
+            filename = os.path.join(root, filename)


         self.assertInBody("WrongConfigValue: StaticFilter requires either "
                           "static_filter.file or static_filter.dir "
+        # Test up-level security
+        self.getPage("/static/../style.css")
+        self.assertStatus('403 Forbidden')
 if __name__ == "__main__":
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.