tftpy/TftpStates.py: fix security problem regarding path check

This patch fixes the request path check. It makes sure that requested paths are _below_ the specified root directory.
2012-04-26 21:18:31 +02:00 · 2012-04-26 21:18:31 +02:00 · 83507c60ff
parent c52ea929bb
commit 83507c60ff
1 changed files with 1 additions and 1 deletions
--- a/tftpy/TftpStates.py
+++ b/tftpy/TftpStates.py
@ -257,7 +257,7 @@ class TftpServerState(TftpState):
        full_path = os.path.join(self.context.root, pkt.filename)
        self.full_path = os.path.abspath(full_path)
        log.debug("full_path is %s" % full_path)
-        if self.context.root == full_path[:len(self.context.root)]:
+        if self.full_path.startswith(self.context.root):
            log.info("requested file is in the server root - good")
        else:
            log.warn("requested file is not within the server root - bad")