From dd1627fb78f8461ea89add9535a1abe6fcadfadc Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Tue, 17 Dec 2019 21:29:31 +0100
Subject: dash_server: make sure requests do not point outside our root.

---
 dash_server.py | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/dash_server.py b/dash_server.py
index da65584..8a78f0f 100755
--- a/dash_server.py
+++ b/dash_server.py
@@ -187,8 +187,18 @@ class DashRequestHandler(hs.BaseHTTPRequestHandler):
 
         super().__init__(*args, **kwargs)
 
-    def _decode_path(self, encoded_path):
-        return urlparse.unquote_to_bytes(encoded_path)
+    def _process_path(self, encoded_path):
+        # decode percent-encoding
+        path = urlparse.unquote_to_bytes(encoded_path)
+
+        # normalize the path
+        path = os.path.normpath(path)
+
+        # make sure the path doesn't point outside of our root
+        if path.startswith(b'..'):
+            raise PermissionError('Invalid path')
+
+        return path
 
     def _serve_local(self, path):
         with open(path, 'rb') as infile:
@@ -207,7 +217,7 @@ class DashRequestHandler(hs.BaseHTTPRequestHandler):
     def do_GET(self):
         self._log_request()
 
-        local_path = self._decode_path(self.path)
+        local_path = self._process_path(self.path)
         outpath = b'/'.join((self.server.serve_dir, local_path))
         try:
             ds = self.server._streams[local_path]
@@ -241,7 +251,7 @@ class DashRequestHandler(hs.BaseHTTPRequestHandler):
         self._log_request()
 
         with contextlib.ExitStack() as stack:
-            local_path = self._decode_path(self.path)
+            local_path = self._process_path(self.path)
 
             ds = stack.enter_context(contextlib.closing(DataStream()))
             stack.enter_context(self.server._streams.add_entry(local_path, ds))
-- 
cgit v1.2.3