From 6259c88b75121e36a7fa683eef6ea5152ec8b400 Mon Sep 17 00:00:00 2001 From: Tessa Walsh Date: Tue, 5 Nov 2024 12:13:58 -0500 Subject: [PATCH] Remove abspath, add validation back --- pywb/apps/static_handler.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/pywb/apps/static_handler.py b/pywb/apps/static_handler.py index 872f8713..820aa226 100644 --- a/pywb/apps/static_handler.py +++ b/pywb/apps/static_handler.py @@ -32,20 +32,20 @@ def __call__(self, environ, url_str): full_path = environ.get('pywb.static_dir') if full_path: - static_path_to_validate = os.path.abspath(full_path) + static_path_to_validate = full_path full_path = os.path.join(full_path, url) if not os.path.isfile(full_path): full_path = None if not full_path: - static_path_to_validate = os.path.abspath(self.static_path) + static_path_to_validate = self.static_path full_path = os.path.join(self.static_path, url) - # try: - # validate_requested_file_path(static_path_to_validate, url) - # except ValueError: - # raise NotFoundException('Static File Not Found: ' + - # url_str) + try: + validate_requested_file_path(static_path_to_validate, url) + except ValueError: + raise NotFoundException('Static File Not Found: ' + + url_str) try: data = self.block_loader.load(full_path) @@ -84,7 +84,7 @@ def validate_requested_file_path(self, static_dir, requested_path): """Validate that requested relative file path is within static dir. Returns relative path starting from static_dir or raises ValueError if - requested path is not in the static directory. + path traversal outside the static directory is being attempted. """ static_dir = Path(static_dir) return static_dir.joinpath(requested_path).resolve().relative_to(static_dir.resolve())