From: Ted Kremenek <kremenek@apple.com>
Date: Fri, 12 Oct 2012 22:56:38 +0000 (+0000)
Subject: Further harden checking that scan-view isn't serving up pages outside
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7642b9a55e853c27531e078da34ca95148182c3d;p=clang

Further harden checking that scan-view isn't serving up pages outside
the server root.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@165839 91177308-0d34-0410-b5e6-96231b3b80d8
---

diff --git a/tools/scan-view/ScanView.py b/tools/scan-view/ScanView.py
index 3e03f1a6a3..32570b9858 100644
--- a/tools/scan-view/ScanView.py
+++ b/tools/scan-view/ScanView.py
@@ -708,8 +708,8 @@ File Bug</h3>
 
     def send_path(self, path):
         # If the requested path is outside the root directory, do not open it
-        rel = os.path.relpath(path, self.server.root)
-        if rel.startswith(os.pardir + os.sep):
+        rel = os.path.abspath(os.path.join(self.server.root, path))
+        if not rel.startswith(os.path.abspath(self.server.root) ):
           return self.send_404()
         
         ctype = self.guess_type(path)