New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More robust path-traversal check in StaticFiles app #985
Conversation
Looks like this causes an issue where you can get 404s for every static file except if you create your Also (and potentially should be its own issue), could we consider allowing following symbolic links with a flag that we pass in? |
The latest changes break previous behaviour from 0.13.4.
Based on the documentation we can register static files as following: If we use the layout from above and the recommended way from documentation then the code from this PR will produce the following:
@tomchristie what is the recommended way to register StaticFiles now? Especially in case of different layouts:
|
At a local layout, I convert realpath+static to string in order to fix the error 404 for the version 0.13.5 as below: from pathlib import Path |
I have tested a little bit on my Windows 10 Notebook and it seems that StaticFiles return 404 if directory parameter is pathlib class. When you pass the string of correct format (Windows for Windows system) it works:
os.path.* functions work because they return string values, even if their argument is Path:
Most interestingly that there are different results depending on whether directory passed as Path exists or not: |
Resolved in 0.13.6 |
Closes #981