Further harden checking that scan-view isn't serving up pages outside
the server root.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165839 91177308-0d34-0410-b5e6-96231b3b80d8
diff --git a/tools/scan-view/ScanView.py b/tools/scan-view/ScanView.py
index 3e03f1a..32570b9 100644
--- a/tools/scan-view/ScanView.py
+++ b/tools/scan-view/ScanView.py
@@ -708,8 +708,8 @@
def send_path(self, path):
# If the requested path is outside the root directory, do not open it
- rel = os.path.relpath(path, self.server.root)
- if rel.startswith(os.pardir + os.sep):
+ rel = os.path.abspath(os.path.join(self.server.root, path))
+ if not rel.startswith(os.path.abspath(self.server.root) ):
return self.send_404()
ctype = self.guess_type(path)