diff options
| author | Aldo Cortesi <aldo@nullcube.com> | 2012-07-22 23:46:56 +1200 |
|---|---|---|
| committer | Aldo Cortesi <aldo@nullcube.com> | 2012-07-22 23:46:56 +1200 |
| commit | 96db3557ce88cd6f4993a1c090d0d717b34db57e (patch) | |
| tree | eda74e647026215f678627cb9c6bf5777bc3490b /libpathod/rparse.py | |
| parent | 1b03fd6780f69f1d1f460868d5592587cb0c9c50 (diff) | |
| download | mitmproxy-96db3557ce88cd6f4993a1c090d0d717b34db57e.tar.gz mitmproxy-96db3557ce88cd6f4993a1c090d0d717b34db57e.tar.bz2 mitmproxy-96db3557ce88cd6f4993a1c090d0d717b34db57e.zip | |
Constrain file access to configured directory in pathod.
Diffstat (limited to 'libpathod/rparse.py')
| -rw-r--r-- | libpathod/rparse.py | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/libpathod/rparse.py b/libpathod/rparse.py index bcbd01f9..810fefc0 100644 --- a/libpathod/rparse.py +++ b/libpathod/rparse.py @@ -243,13 +243,19 @@ class ValueFile: return e.setParseAction(lambda x: klass(*x)) def get_generator(self, settings): + uf = settings.get("unconstrained_file_access") sd = settings.get("staticdir") if not sd: - raise ServerError("No static directory specified.") - path = os.path.join(sd, self.path) - if not os.path.exists(path): - raise ServerError("Static file does not exist: %s"%path) - return FileGenerator(path) + raise ServerError("File access disabled.") + sd = os.path.normpath(os.path.abspath(sd)) + + s = os.path.expanduser(self.path) + s = os.path.normpath(os.path.abspath(os.path.join(sd, s))) + if not uf and not s.startswith(sd): + raise ServerError("File access outside of configured directory") + if not os.path.isfile(s): + raise ServerError("File not readable") + return FileGenerator(s) def __str__(self): return "<%s"%(self.path) |