diff options
| author | Chris McDonough <chrism@plope.com> | 2011-09-08 00:10:48 -0400 |
|---|---|---|
| committer | Chris McDonough <chrism@plope.com> | 2011-09-08 00:10:48 -0400 |
| commit | b1ba8cc4f3f388e092354ef72c37c03702edf5a4 (patch) | |
| tree | dbd5daccc42021f7c8dfc6c79dd3d1d0a06d9d24 | |
| parent | a3cd6b3ff1a02c5fad56cecb5178ca2ec77c3bfa (diff) | |
| download | pyramid-b1ba8cc4f3f388e092354ef72c37c03702edf5a4.tar.gz pyramid-b1ba8cc4f3f388e092354ef72c37c03702edf5a4.tar.bz2 pyramid-b1ba8cc4f3f388e092354ef72c37c03702edf5a4.zip | |
use set comparison to protect against insecure path elements; don't disallow items that start with dot; don't url-quote each path element
| -rw-r--r-- | pyramid/static.py | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/pyramid/static.py b/pyramid/static.py index 357fe8014..128d2ce60 100644 --- a/pyramid/static.py +++ b/pyramid/static.py @@ -169,12 +169,13 @@ class static_view(object): url = url + '?' + qs return HTTPMovedPermanently(url) +has_insecure_pathelement = set(['..', '.', '/', '']).intersection + @lru_cache(1000) def _secure_path(path_tuple): - if '' in path_tuple: + if has_insecure_pathelement(path_tuple): return None for item in path_tuple: - for val in ['.', '/']: - if item.startswith(val): - return None - return '/'.join([quote_path_segment(x) for x in path_tuple]) + if '../' in item: + return None + return '/'.join([x.encode('utf-8') for x in path_tuple]) |