diff options
| author | Michael Merickel <michael@merickel.org> | 2023-08-24 23:49:50 -0600 |
|---|---|---|
| committer | Michael Merickel <michael@merickel.org> | 2023-08-24 23:49:50 -0600 |
| commit | b4e78bd14f7bbfce76399510a78b5346f9bd73e1 (patch) | |
| tree | c6a3597b7d05ec644ba7093198e7d6a64e8b1c05 /src | |
| parent | 0919da5326ef65fb6569bc045ee0c0f033185f1c (diff) | |
| parent | 6726314834d0de9e29c45dcb3d6f3ce9118a956d (diff) | |
| download | pyramid-b4e78bd14f7bbfce76399510a78b5346f9bd73e1.tar.gz pyramid-b4e78bd14f7bbfce76399510a78b5346f9bd73e1.tar.bz2 pyramid-b4e78bd14f7bbfce76399510a78b5346f9bd73e1.zip | |
Merge branch 'tseaver-jp_exploit_fix'
Diffstat (limited to 'src')
| -rw-r--r-- | src/pyramid/static.py | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/pyramid/static.py b/src/pyramid/static.py index 71dd715d7..100d17676 100644 --- a/src/pyramid/static.py +++ b/src/pyramid/static.py @@ -260,12 +260,12 @@ def _add_vary(response, option): response.vary = vary -_seps = {'/', os.sep} +_invalid_element_chars = {'/', os.sep, '\x00'} -def _contains_slash(item): - for sep in _seps: - if sep in item: +def _contains_invalid_element_char(item): + for invalid_element_char in _invalid_element_chars: + if invalid_element_char in item: return True @@ -279,7 +279,7 @@ def _secure_path(path_tuple): # unless someone screws up the traversal_path code # (request.subpath is computed via traversal_path too) return None - if any([_contains_slash(item) for item in path_tuple]): + if any([_contains_invalid_element_char(item) for item in path_tuple]): return None encoded = '/'.join(path_tuple) # will be unicode return encoded |