From f45049f3030a844718e01a36305d179819a07020 Mon Sep 17 00:00:00 2001
From: Tom Christie <tom@tomchristie.com>
Date: Thu, 12 Jul 2018 16:11:06 +0100
Subject: [PATCH] Fix for os.path.join

---
 starlette/staticfiles.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/starlette/staticfiles.py b/starlette/staticfiles.py
index 4826cbef..4199e510 100644
--- a/starlette/staticfiles.py
+++ b/starlette/staticfiles.py
@@ -22,8 +22,10 @@ class StaticFiles:
     def __call__(self, scope):
         if scope["method"] not in ("GET", "HEAD"):
             return PlainTextResponse("Method not allowed", status_code=406)
-        split_path = scope["path"].split("/")
-        path = os.path.join(self.directory, *split_path)
+        path = os.path.normpath(os.path.join(*scope["path"].split("/")))
+        if path.startswith('..'):
+            return PlainTextResponse("Not found", status_code=404)
+        path = os.path.join(self.directory, path)
         if self.config_checked:
             check_directory = None
         else: