From fe2403f8b572611f3b7a5da515e96d218bcb4289 Mon Sep 17 00:00:00 2001 From: Tessa Walsh Date: Tue, 5 Nov 2024 11:13:02 -0500 Subject: [PATCH] Try another validation approach --- pywb/apps/static_handler.py | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/pywb/apps/static_handler.py b/pywb/apps/static_handler.py index a325e689..dccfa09d 100644 --- a/pywb/apps/static_handler.py +++ b/pywb/apps/static_handler.py @@ -10,10 +10,6 @@ from pywb.utils.wbexception import NotFoundException -class PathValidationError(Exception): - """Path validation exception""" - - #================================================================= # Static Content Handler #================================================================= @@ -33,14 +29,12 @@ def __call__(self, environ, url_str): # url = sanitize_filepath(url) static_path_to_validate = None - full_path = None full_path = environ.get('pywb.static_dir') if full_path: static_path_to_validate = full_path full_path = os.path.join(full_path, url) if not os.path.isfile(full_path): - static_path_to_validate = None full_path = None if not full_path: @@ -49,7 +43,7 @@ def __call__(self, environ, url_str): try: validate_requested_file_path(static_path_to_validate, full_path) - except PathValidationError: + except ValueError: raise NotFoundException('Static File Not Found: ' + url_str) @@ -87,12 +81,12 @@ def __call__(self, environ, url_str): url_str) def validate_requested_file_path(self, static_dir, requested_path): - """Validate that requested file path is within static dir""" - static_dir = Path(static_dir) - requested_path = Path(requested_path) + """Validate that requested file path is within static dir. - if static_dir.resolve() not in requested_path.resolve().parents: - raise PathValidationError('Requested path forbidden') + Returns relative path starting from static_dir or raises ValueError if + requested path is not in the static directory. + """ + return Path(static_dir).joinpath(requested_path).resolve().relative_to(static_dir.resolve())