Fixed directory traversal bug with direcotry listing

This commit is contained in:
Sebastian Lohff 2015-11-10 20:51:18 +01:00
parent 11ad07cc76
commit cd7eee21be
1 changed files with 9 additions and 0 deletions

View File

@ -305,6 +305,15 @@ class DirListingHandler(FileBaseHandler):
""" Send file or directory index, depending on requested path """ """ Send file or directory index, depending on requested path """
path = self.getCleanPath() path = self.getCleanPath()
# check if path is in current serving directory
currBaseDir = os.path.abspath(self.targetDir) + os.path.sep
requestPath = os.path.normpath(os.path.join(currBaseDir, path)) + os.path.sep
if not requestPath.startswith(currBaseDir):
self.send_response(301)
self.send_header("Location", '/')
self.end_headers()
return
if os.path.isdir(path): if os.path.isdir(path):
if not self.path.endswith('/'): if not self.path.endswith('/'):
self.send_response(301) self.send_response(301)