More robust path-traversal check in StaticFiles app (#985)

* More robust path-traversal check in StaticFiles app * Linting
encode · Jul 16, 2020 · e611476 · e611476
1 parent 85b9c26
commit e611476
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/starlette/staticfiles.py b/starlette/staticfiles.py
@@ -107,12 +107,6 @@ async def get_response(self, path: str, scope: Scope) -> Response:
         if scope["method"] not in ("GET", "HEAD"):
             return PlainTextResponse("Method Not Allowed", status_code=405)
 
-        if path.startswith(".."):
-            # Most clients will normalize the path, so we shouldn't normally
-            # get this, but don't allow misbehaving clients to break out of
-            # the static files directory.
-            return PlainTextResponse("Not Found", status_code=404)
-
         full_path, stat_result = await self.lookup_path(path)
 
         if stat_result and stat.S_ISREG(stat_result.st_mode):
@@ -147,6 +141,12 @@ async def lookup_path(
     ) -> typing.Tuple[str, typing.Optional[os.stat_result]]:
         for directory in self.all_directories:
             full_path = os.path.join(directory, path)
+            if (
+                os.path.commonprefix([os.path.realpath(full_path), directory])
+                != directory
+            ):
+                # Don't allow misbehaving clients to break out of the static files directory.
+                continue
             try:
                 stat_result = await aio_stat(full_path)
                 return (full_path, stat_result)