Fix for os.path.join

This commit is contained in:
Tom Christie 2018-07-12 16:11:06 +01:00
parent 37a539a202
commit f45049f303
1 changed files with 4 additions and 2 deletions

View File

@ -22,8 +22,10 @@ class StaticFiles:
def __call__(self, scope): def __call__(self, scope):
if scope["method"] not in ("GET", "HEAD"): if scope["method"] not in ("GET", "HEAD"):
return PlainTextResponse("Method not allowed", status_code=406) return PlainTextResponse("Method not allowed", status_code=406)
split_path = scope["path"].split("/") path = os.path.normpath(os.path.join(*scope["path"].split("/")))
path = os.path.join(self.directory, *split_path) if path.startswith('..'):
return PlainTextResponse("Not found", status_code=404)
path = os.path.join(self.directory, path)
if self.config_checked: if self.config_checked:
check_directory = None check_directory = None
else: else: