Merge branch 'branch4.2'

ydaniv · Jul 17, 2015 · cb12ad0 · cb12ad0
2 parents d8d5f58 + 5d4d114
commit cb12ad0
Show file tree

Hide file tree

Showing 7 changed files with 33 additions and 3 deletions.
diff --git a/MANIFEST.in b/MANIFEST.in
@@ -9,6 +9,7 @@ include tornado/test/gettext_translations/fr_FR/LC_MESSAGES/tornado_test.po
 include tornado/test/options_test.cfg
 include tornado/test/static/robots.txt
 include tornado/test/static/dir/index.html
+include tornado/test/static_foo.txt
 include tornado/test/templates/utf8.html
 include tornado/test/test.crt
 include tornado/test/test.key

diff --git a/docs/releases.rst b/docs/releases.rst
@@ -5,6 +5,7 @@ Release notes
    :maxdepth: 2
 
    releases/next
+   releases/v4.2.1
    releases/v4.2.0
    releases/v4.1.0
    releases/v4.0.2

diff --git a/docs/releases/v4.2.1.rst b/docs/releases/v4.2.1.rst
@@ -0,0 +1,12 @@
+What's new in Tornado 4.2.1
+===========================
+
+Jul 17, 2015
+------------
+
+Security fix
+~~~~~~~~~~~~
+
+* This release fixes a path traversal vulnerability in `.StaticFileHandler`,
+  in which files whose names *started with* the ``static_path`` directory
+  but were not actually *in* that directory could be accessed.
diff --git a/setup.py b/setup.py
@@ -147,6 +147,7 @@ def build_extension(self, ext):
             "options_test.cfg",
             "static/robots.txt",
             "static/dir/index.html",
+            "static_foo.txt",
             "templates/utf8.html",
             "test.crt",
             "test.key",

diff --git a/tornado/test/static_foo.txt b/tornado/test/static_foo.txt
@@ -0,0 +1,2 @@
+This file should not be served by StaticFileHandler even though
+its name starts with "static".
diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py
@@ -1181,6 +1181,15 @@ def test_static_404(self):
         response = self.get_and_head('/static/blarg')
         self.assertEqual(response.code, 404)
 
+    def test_path_traversal_protection(self):
+        with ExpectLog(gen_log, ".*not in root static directory"):
+            response = self.get_and_head('/static/../static_foo.txt')
+        # Attempted path traversal should result in 403, not 200
+        # (which means the check failed and the file was served)
+        # or 404 (which means that the file didn't exist and
+        # is probably a packaging error).
+        self.assertEqual(response.code, 403)
+
 
 @wsgi_safe
 class StaticDefaultFilenameTest(WebTestCase):

diff --git a/tornado/web.py b/tornado/web.py
@@ -2379,9 +2379,13 @@ def validate_absolute_path(self, root, absolute_path):
 
         .. versionadded:: 3.1
         """
-        root = os.path.abspath(root)
-        # os.path.abspath strips a trailing /
-        # it needs to be temporarily added back for requests to root/
+        # os.path.abspath strips a trailing /.
+        # We must add it back to `root` so that we only match files
+        # in a directory named `root` instead of files starting with
+        # that prefix.
+        root = os.path.abspath(root) + os.path.sep
+        # The trailing slash also needs to be temporarily added back
+        # the requested path so a request to root/ will match.
         if not (absolute_path + os.path.sep).startswith(root):
             raise HTTPError(403, "%s is not in root static directory",
                             self.path)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		This file should not be served by StaticFileHandler even though
		its name starts with "static".