Show More
@@ -135,6 +135,17 b' def get_stat(spath, fn):' | |||||
135 | def get_mtime(spath): |
|
135 | def get_mtime(spath): | |
136 | return get_stat(spath, "00changelog.i").st_mtime |
|
136 | return get_stat(spath, "00changelog.i").st_mtime | |
137 |
|
137 | |||
|
138 | def ispathsafe(path): | |||
|
139 | """Determine if a path is safe to use for filesystem access.""" | |||
|
140 | parts = path.split('/') | |||
|
141 | for part in parts: | |||
|
142 | if (part in ('', os.curdir, os.pardir) or | |||
|
143 | pycompat.ossep in part or | |||
|
144 | pycompat.osaltsep is not None and pycompat.osaltsep in part): | |||
|
145 | return False | |||
|
146 | ||||
|
147 | return True | |||
|
148 | ||||
138 | def staticfile(directory, fname, req): |
|
149 | def staticfile(directory, fname, req): | |
139 | """return a file inside directory with guessed Content-Type header |
|
150 | """return a file inside directory with guessed Content-Type header | |
140 |
|
151 | |||
@@ -144,13 +155,10 b' def staticfile(directory, fname, req):' | |||||
144 | Return an empty string if fname is illegal or file not found. |
|
155 | Return an empty string if fname is illegal or file not found. | |
145 |
|
156 | |||
146 | """ |
|
157 | """ | |
147 | parts = fname.split('/') |
|
158 | if not ispathsafe(fname): | |
148 | for part in parts: |
|
159 | return | |
149 | if (part in ('', os.curdir, os.pardir) or |
|
160 | ||
150 | pycompat.ossep in part or |
|
161 | fpath = os.path.join(*fname.split('/')) | |
151 | pycompat.osaltsep is not None and pycompat.osaltsep in part): |
|
|||
152 | return |
|
|||
153 | fpath = os.path.join(*parts) |
|
|||
154 | if isinstance(directory, str): |
|
162 | if isinstance(directory, str): | |
155 | directory = [directory] |
|
163 | directory = [directory] | |
156 | for d in directory: |
|
164 | for d in directory: |
General Comments 0
You need to be logged in to leave comments.
Login now