From cddc453c9d49298e60e7d56fb71130c151cbcbe5 Mon Sep 17 00:00:00 2001
From: Oleh Prypin <oleh@pryp.in>
Date: Sun, 10 Oct 2021 10:52:05 +0200
Subject: [PATCH] Prevent directory traversal in the dev server

---
 mkdocs/livereload/__init__.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/mkdocs/livereload/__init__.py b/mkdocs/livereload/__init__.py
index c9f7afa8e7..998022de7e 100644
--- a/mkdocs/livereload/__init__.py
+++ b/mkdocs/livereload/__init__.py
@@ -4,6 +4,7 @@
 import mimetypes
 import os
 import os.path
+import posixpath
 import re
 import socketserver
 import threading
@@ -183,9 +184,11 @@ def condition():
         if path == "/js/livereload.js":
             file_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), "livereload.js")
         elif path.startswith(self.mount_path):
-            rel_file_path = path[len(self.mount_path):].lstrip("/")
+            rel_file_path = path[len(self.mount_path):]
             if path.endswith("/"):
                 rel_file_path += "index.html"
+            # Prevent directory traversal - normalize the path.
+            rel_file_path = posixpath.normpath("/" + rel_file_path).lstrip("/")
             file_path = os.path.join(self.root, rel_file_path)
         elif path == "/":
             start_response("302 Found", [("Location", self.mount_path)])