From 0464d31a9c91f70699b3ad5706f82927dc442623 Mon Sep 17 00:00:00 2001 From: Paul Jongsma Date: Sat, 10 Dec 2016 12:16:37 +0100 Subject: [PATCH 1/5] Find URL encoded filenames on the fs by decoding them first --- sanic/static.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sanic/static.py b/sanic/static.py index 72361a9a..ed7d6f8c 100644 --- a/sanic/static.py +++ b/sanic/static.py @@ -2,6 +2,7 @@ from aiofiles.os import stat from os import path from re import sub from time import strftime, gmtime +from urllib.parse import unquote from .exceptions import FileNotFound, InvalidUsage from .response import file, HTTPResponse @@ -38,6 +39,8 @@ def register(app, uri, file_or_directory, pattern, use_modified_since): # from herping a derp and treating the uri as an absolute path file_path = path.join(file_or_directory, sub('^[/]*', '', file_uri)) \ if file_uri else file_or_directory + + file_path = unquote(file_path) try: headers = {} # Check if the client has been sent this file before From 9ba2f99ea26c366aedea8f94ea0af152fcb43b99 Mon Sep 17 00:00:00 2001 From: Paul Jongsma Date: Tue, 13 Dec 2016 01:10:24 +0100 Subject: [PATCH 2/5] added a comment on why to decode the file_path --- sanic/static.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sanic/static.py b/sanic/static.py index ed7d6f8c..b02786a4 100644 --- a/sanic/static.py +++ b/sanic/static.py @@ -40,6 +40,8 @@ def register(app, uri, file_or_directory, pattern, use_modified_since): file_path = path.join(file_or_directory, sub('^[/]*', '', file_uri)) \ if file_uri else file_or_directory + # URL decode the path sent by the browser otherwise we won't be able to + # match filenames which got encoded (filenames with spaces etc) file_path = unquote(file_path) try: headers = {} From 2003eceba19618fcb20d78b19af072726113cdfc Mon Sep 17 00:00:00 2001 From: Paul Jongsma Date: Tue, 13 Dec 2016 10:41:39 +0100 Subject: [PATCH 3/5] remove trailing space --- sanic/static.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sanic/static.py b/sanic/static.py index b02786a4..a70bff2f 100644 --- a/sanic/static.py +++ b/sanic/static.py @@ -40,7 +40,7 @@ def register(app, uri, file_or_directory, pattern, use_modified_since): file_path = path.join(file_or_directory, sub('^[/]*', '', file_uri)) \ if file_uri else file_or_directory - # URL decode the path sent by the browser otherwise we won't be able to + # URL decode the path sent by the browser otherwise we won't be able to # match filenames which got encoded (filenames with spaces etc) file_path = unquote(file_path) try: From 29f3c22fede7716cdebd06b8f4f44c48dfb0814e Mon Sep 17 00:00:00 2001 From: Eli Uriegas Date: Sat, 24 Dec 2016 18:11:12 -0800 Subject: [PATCH 4/5] Rework conditionals to not be inline --- sanic/static.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/sanic/static.py b/sanic/static.py index a70bff2f..e39dd76f 100644 --- a/sanic/static.py +++ b/sanic/static.py @@ -33,12 +33,14 @@ def register(app, uri, file_or_directory, pattern, use_modified_since): # served. os.path.realpath seems to be very slow if file_uri and '../' in file_uri: raise InvalidUsage("Invalid URL") - + # Merge served directory and requested file if provided # Strip all / that in the beginning of the URL to help prevent python # from herping a derp and treating the uri as an absolute path - file_path = path.join(file_or_directory, sub('^[/]*', '', file_uri)) \ - if file_uri else file_or_directory + file_path = file_or_directory + if file_uri: + file_path = path.join( + file_or_directory, sub('^[/]*', '', file_uri)) # URL decode the path sent by the browser otherwise we won't be able to # match filenames which got encoded (filenames with spaces etc) From 16182472fa73b6b5035ce4904bbb3edf3e1bf8a8 Mon Sep 17 00:00:00 2001 From: Eli Uriegas Date: Sat, 24 Dec 2016 18:11:46 -0800 Subject: [PATCH 5/5] Remove trailing whitespace --- sanic/static.py | 1 - 1 file changed, 1 deletion(-) diff --git a/sanic/static.py b/sanic/static.py index e39dd76f..9f5f2d52 100644 --- a/sanic/static.py +++ b/sanic/static.py @@ -33,7 +33,6 @@ def register(app, uri, file_or_directory, pattern, use_modified_since): # served. os.path.realpath seems to be very slow if file_uri and '../' in file_uri: raise InvalidUsage("Invalid URL") - # Merge served directory and requested file if provided # Strip all / that in the beginning of the URL to help prevent python # from herping a derp and treating the uri as an absolute path