From b1ba8cc4f3f388e092354ef72c37c03702edf5a4 Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@plope.com>
Date: Thu, 8 Sep 2011 00:10:48 -0400
Subject: use set comparison to protect against insecure path elements; don't
 disallow items that start with dot; don't url-quote each path element

---
 pyramid/static.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/pyramid/static.py b/pyramid/static.py
index 357fe8014..128d2ce60 100644
--- a/pyramid/static.py
+++ b/pyramid/static.py
@@ -169,12 +169,13 @@ class static_view(object):
             url = url + '?' + qs
         return HTTPMovedPermanently(url)
 
+has_insecure_pathelement = set(['..', '.', '/', '']).intersection
+
 @lru_cache(1000)
 def _secure_path(path_tuple):
-    if '' in path_tuple:
+    if has_insecure_pathelement(path_tuple):
         return None
     for item in path_tuple:
-        for val in ['.', '/']:
-            if item.startswith(val):
-                return None
-    return '/'.join([quote_path_segment(x) for x in path_tuple])
+        if '../' in item:
+            return None
+    return '/'.join([x.encode('utf-8') for x in path_tuple])
-- 
cgit v1.2.3