diff options
| author | Tres Seaver <tseaver@palladion.com> | 2023-08-21 14:43:12 -0400 |
|---|---|---|
| committer | Tres Seaver <tseaver@palladion.com> | 2023-08-21 14:43:12 -0400 |
| commit | 354d69a7b397571e3845de13ecabbfeb9d7f100b (patch) | |
| tree | 07354688fe25a0d2d3a556b2d52b27a9035f62a3 | |
| parent | f1941759ee9dedf5f800fc4c9a0c9c51028e06f5 (diff) | |
| download | pyramid-354d69a7b397571e3845de13ecabbfeb9d7f100b.tar.gz pyramid-354d69a7b397571e3845de13ecabbfeb9d7f100b.tar.bz2 pyramid-354d69a7b397571e3845de13ecabbfeb9d7f100b.zip | |
fix: reject NUL character as path element
See: https://github.com/Pylons/pyramid/security/advisories/GHSA-j8g2-6fc7-q8f8
| -rw-r--r-- | src/pyramid/static.py | 14 | ||||
| -rw-r--r-- | tests/fixtures/index.html | 1 | ||||
| -rw-r--r-- | tests/test_static.py | 13 |
3 files changed, 21 insertions, 7 deletions
diff --git a/src/pyramid/static.py b/src/pyramid/static.py index 71dd715d7..e2a5e68d3 100644 --- a/src/pyramid/static.py +++ b/src/pyramid/static.py @@ -138,11 +138,11 @@ class static_view: # normalize asset spec or fs path into resource_path if self.package_name: # package resource - resource_path = '{}/{}'.format(self.docroot.rstrip('/'), path) + resource_path = '%s/%s' % (self.docroot.rstrip('/'), path) if resource_isdir(self.package_name, resource_path): if not request.path_url.endswith('/'): raise self.add_slash_redirect(request) - resource_path = '{}/{}'.format( + resource_path = '%s/%s' % ( resource_path.rstrip('/'), self.index, ) @@ -260,12 +260,12 @@ def _add_vary(response, option): response.vary = vary -_seps = {'/', os.sep} +_invalid_element_chars = {'/', os.sep, '\x00'} -def _contains_slash(item): - for sep in _seps: - if sep in item: +def _contains_invalid_element_char(item): + for invalid_element_char in _invalid_element_chars: + if invalid_element_char in item: return True @@ -279,7 +279,7 @@ def _secure_path(path_tuple): # unless someone screws up the traversal_path code # (request.subpath is computed via traversal_path too) return None - if any([_contains_slash(item) for item in path_tuple]): + if any([_contains_invalid_element_char(item) for item in path_tuple]): return None encoded = '/'.join(path_tuple) # will be unicode return encoded diff --git a/tests/fixtures/index.html b/tests/fixtures/index.html new file mode 100644 index 000000000..a37df5790 --- /dev/null +++ b/tests/fixtures/index.html @@ -0,0 +1 @@ +<h1>DON'T GO HERE</h1> diff --git a/tests/test_static.py b/tests/test_static.py index af487fa24..97978f2a4 100644 --- a/tests/test_static.py +++ b/tests/test_static.py @@ -104,6 +104,19 @@ class Test_static_view_use_subpath_False(unittest.TestCase): self.assertRaises(HTTPNotFound, inst, context, request) + def test_oob_nul_char(self): + import os + + inst = self._makeOne(f'{os.getcwd()}/tests/fixtures/static') + dds = '..\x00/' + request = self._makeRequest( + {'PATH_INFO': f'/{dds}'} + ) + context = DummyContext() + from pyramid.httpexceptions import HTTPNotFound + + self.assertRaises(HTTPNotFound, inst, context, request) + def test_resource_doesnt_exist(self): inst = self._makeOne('tests:fixtures/static') request = self._makeRequest({'PATH_INFO': '/notthere'}) |