Do not allow access to resources outside of static.

nengo · Apr 17, 2018 · a876b11 · a876b11
1 parent e343b13
commit a876b11
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/nengo_gui/guibackend.py b/nengo_gui/guibackend.py
@@ -150,7 +150,11 @@ def login_page(self):
     @RequireAuthentication('/login')
     def serve_static(self):
         """Handles http://host:port/static/* by returning pkg data"""
-        fn = os.path.join('static', self.resource)
+        assert self.resource[0] == '/'
+        static_dir = 'static' + os.sep
+        fn = os.path.normpath(self.resource[1:])
+        if os.path.commonprefix((static_dir, fn)) != static_dir:
+            raise server.Forbidden()
         mimetype, encoding = mimetypes.guess_type(fn)
         data = pkgutil.get_data('nengo_gui', fn)
         return server.HttpResponse(data, mimetype)