tftpy/TftpStates.py: fix security problem regarding path check

This patch fixes the request path check. It makes sure that requested paths are _below_ the specified root directory.
author: Fabian Knittel <fabian.knittel@lettink.de> 2012-04-26 21:18:31 +0200
committer: Fabian Knittel <fabian.knittel@lettink.de> 2012-04-26 21:18:31 +0200
commit: 83507c60ff28ab0bd7e87217bdd53c8b56ca4715 (patch)
tree: ef36a6ce25e51d4541a9a1fef051371c4811d171
parent: c52ea929bb97dde7a70f2b2bae3de170311a59f6 (diff)
download: tftpy-83507c60ff28ab0bd7e87217bdd53c8b56ca4715.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/tftpy/TftpStates.py b/tftpy/TftpStates.py
index 3098e45..8e4ad1e 100644
--- a/tftpy/TftpStates.py
+++ b/tftpy/TftpStates.py
@@ -257,7 +257,7 @@ class TftpServerState(TftpState):
         full_path = os.path.join(self.context.root, pkt.filename)
         self.full_path = os.path.abspath(full_path)
         log.debug("full_path is %s" % full_path)
-        if self.context.root == full_path[:len(self.context.root)]:
+        if self.full_path.startswith(self.context.root):
             log.info("requested file is in the server root - good")
         else:
             log.warn("requested file is not within the server root - bad")
author	Fabian Knittel <fabian.knittel@lettink.de>	2012-04-26 21:18:31 +0200
committer	Fabian Knittel <fabian.knittel@lettink.de>	2012-04-26 21:18:31 +0200
commit	83507c60ff28ab0bd7e87217bdd53c8b56ca4715 (patch)
tree	ef36a6ce25e51d4541a9a1fef051371c4811d171
parent	c52ea929bb97dde7a70f2b2bae3de170311a59f6 (diff)
download	tftpy-83507c60ff28ab0bd7e87217bdd53c8b56ca4715.tar.gz