From 83507c60ff28ab0bd7e87217bdd53c8b56ca4715 Mon Sep 17 00:00:00 2001 From: Fabian Knittel Date: Thu, 26 Apr 2012 21:18:31 +0200 Subject: [PATCH] tftpy/TftpStates.py: fix security problem regarding path check This patch fixes the request path check. It makes sure that requested paths are _below_ the specified root directory. --- tftpy/TftpStates.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tftpy/TftpStates.py b/tftpy/TftpStates.py index 3098e45..8e4ad1e 100644 --- a/tftpy/TftpStates.py +++ b/tftpy/TftpStates.py @@ -257,7 +257,7 @@ class TftpServerState(TftpState): full_path = os.path.join(self.context.root, pkt.filename) self.full_path = os.path.abspath(full_path) log.debug("full_path is %s" % full_path) - if self.context.root == full_path[:len(self.context.root)]: + if self.full_path.startswith(self.context.root): log.info("requested file is in the server root - good") else: log.warn("requested file is not within the server root - bad")