fix: reject NUL character as path element

See: https://github.com/Pylons/pyramid/security/advisories/GHSA-j8g2-6fc7-q8f8

1 files changed, 7 insertions, 7 deletions

diff --git a/src/pyramid/static.py b/src/pyramid/static.py
index 71dd715d7..e2a5e68d3 100644
--- a/src/pyramid/static.py
+++ b/src/pyramid/static.py
@@ -138,11 +138,11 @@ class static_view:
 
         # normalize asset spec or fs path into resource_path
         if self.package_name:  # package resource
-            resource_path = '{}/{}'.format(self.docroot.rstrip('/'), path)
+            resource_path = '%s/%s' % (self.docroot.rstrip('/'), path)
             if resource_isdir(self.package_name, resource_path):
                 if not request.path_url.endswith('/'):
                     raise self.add_slash_redirect(request)
-                resource_path = '{}/{}'.format(
+                resource_path = '%s/%s' % (
                     resource_path.rstrip('/'),
                     self.index,
                 )
@@ -260,12 +260,12 @@ def _add_vary(response, option):
     response.vary = vary
 
 
-_seps = {'/', os.sep}
+_invalid_element_chars = {'/', os.sep, '\x00'}
 
 
-def _contains_slash(item):
-    for sep in _seps:
-        if sep in item:
+def _contains_invalid_element_char(item):
+    for invalid_element_char in _invalid_element_chars:
+        if invalid_element_char in item:
             return True
 
 
@@ -279,7 +279,7 @@ def _secure_path(path_tuple):
         # unless someone screws up the traversal_path code
         # (request.subpath is computed via traversal_path too)
         return None
-    if any([_contains_slash(item) for item in path_tuple]):
+    if any([_contains_invalid_element_char(item) for item in path_tuple]):
         return None
     encoded = '/'.join(path_tuple)  # will be unicode
     return encoded