Further harden checking that scan-view isn't serving up pages outside

the server root.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165839 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/tools/scan-view/ScanView.py b/tools/scan-view/ScanView.py
index 3e03f1a6a347a5b31d38e859d149b5ad1e4027d5..32570b985838497cc887d4e113b44a38c461cdd9 100644 (file)
--- a/tools/scan-view/ScanView.py
+++ b/tools/scan-view/ScanView.py
@@ -708,8 +708,8 @@ File Bug</h3>
 
     def send_path(self, path):
         # If the requested path is outside the root directory, do not open it
-        rel = os.path.relpath(path, self.server.root)
-        if rel.startswith(os.pardir + os.sep):
+        rel = os.path.abspath(os.path.join(self.server.root, path))
+        if not rel.startswith(os.path.abspath(self.server.root) ):
           return self.send_404()
         
         ctype = self.guess_type(path)