Does bottle's static_file function have protections against directory traversal?

bottlepy / bottle

bottle.py is a fast and simple micro-framework for python web-applications.

http://bottlepy.org/

MIT License

8.33k stars 1.46k forks source link

Does bottle's static_file function have protections against directory traversal? #1446

Closed danj2k closed 1 month ago

danj2k commented 1 month ago

I had a quick look at the code and I could see some checks in there, but I was wondering if it has defences against directory traversal?

For example a user requesting a URL like:

http://bottle:8080/path/to/file/../../../../../etc/passwd

Or something similar.

Do any of the existing checks protect against this type of vulnerability?

defnull commented 1 month ago

Yes, the filename parameter is joined with the (trusted) root path and then made absolute. If the resulting path is no longer within root, an error is returned.

See https://github.com/bottlepy/bottle/blob/master/bottle.py#L2868-L2872 and the docstring that says "Read-protected files or files outside of the root directory are answered with 403 Access Denied."