Constrain file access to configured directory in pathod.

libpathod/rparse.py

@@ -243,13 +243,19 @@ class ValueFile:
         return e.setParseAction(lambda x: klass(*x))
 
     def get_generator(self, settings):
+        uf = settings.get("unconstrained_file_access")
         sd = settings.get("staticdir")
         if not sd:
-            raise ServerError("No static directory specified.")
-        path = os.path.join(sd, self.path)
-        if not os.path.exists(path):
-            raise ServerError("Static file does not exist: %s"%path)
-        return FileGenerator(path)
+            raise ServerError("File access disabled.")
+        sd = os.path.normpath(os.path.abspath(sd))
+
+        s = os.path.expanduser(self.path)
+        s = os.path.normpath(os.path.abspath(os.path.join(sd, s)))
+        if not uf and not s.startswith(sd):
+            raise ServerError("File access outside of configured directory")
+        if not os.path.isfile(s):
+            raise ServerError("File not readable")
+        return FileGenerator(s)
 
     def __str__(self):
         return "<%s"%(self.path)

test/test_rparse.py

@@ -70,7 +70,10 @@ class TestMisc:
 
             v = rparse.Value.parseString("<path2")[0]
             tutils.raises(rparse.ServerError, v.get_generator, dict(staticdir=t))
-            tutils.raises("no static directory", v.get_generator, dict())
+            tutils.raises("access disabled", v.get_generator, dict())
+
+            v = rparse.Value.parseString("</outside")[0]
+            tutils.raises("outside", v.get_generator, dict(staticdir=t))
 
     def test_generated_value(self):
         v = rparse.Value.parseString("@10b")[0]
@@ -431,7 +434,6 @@ class TestResponse:
         testlen(rparse.parse_response({}, "400'msg':h'foo'='bar':b@100b"))
 
 
-
 def test_read_file():
     tutils.raises(rparse.FileAccessDenied, rparse.read_file, {}, "=/foo")
     p = tutils.test_data.path("data")