From cd7eee21be3602ab6118a23eec8e2628d1a6488c Mon Sep 17 00:00:00 2001
From: Sebastian Lohff <seba@someserver.de>
Date: Tue, 10 Nov 2015 20:51:18 +0100
Subject: [PATCH] Fixed directory traversal bug with direcotry listing

---
 servefile | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/servefile b/servefile
index 9a2733d..1d6e6ed 100755
--- a/servefile
+++ b/servefile
@@ -305,6 +305,15 @@ class DirListingHandler(FileBaseHandler):
 		""" Send file or directory index, depending on requested path """
 		path = self.getCleanPath()
 
+		# check if path is in current serving directory
+		currBaseDir = os.path.abspath(self.targetDir) + os.path.sep
+		requestPath = os.path.normpath(os.path.join(currBaseDir, path)) + os.path.sep
+		if not requestPath.startswith(currBaseDir):
+			self.send_response(301)
+			self.send_header("Location", '/')
+			self.end_headers()
+			return
+
 		if os.path.isdir(path):
 			if not self.path.endswith('/'):
 				self.send_response(301)