Prevent directory traversal in the dev server

mkdocs · Oct 10, 2021 · cddc453 · cddc453
1 parent c426455
commit cddc453
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/mkdocs/livereload/__init__.py b/mkdocs/livereload/__init__.py
@@ -4,6 +4,7 @@
 import mimetypes
 import os
 import os.path
+import posixpath
 import re
 import socketserver
 import threading
@@ -183,9 +184,11 @@ def condition():
         if path == "/js/livereload.js":
             file_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), "livereload.js")
         elif path.startswith(self.mount_path):
-            rel_file_path = path[len(self.mount_path):].lstrip("/")
+            rel_file_path = path[len(self.mount_path):]
             if path.endswith("/"):
                 rel_file_path += "index.html"
+            # Prevent directory traversal - normalize the path.
+            rel_file_path = posixpath.normpath("/" + rel_file_path).lstrip("/")
             file_path = os.path.join(self.root, rel_file_path)
         elif path == "/":
             start_response("302 Found", [("Location", self.mount_path)])