mirror of
https://github.com/zulip/zulip.git
synced 2025-10-23 04:52:12 +00:00
9815db9811
This prevents a development-mode-only directory traversal attack, where the Django development server could be made to respond to requests for `/user_avatars/../../../../../../etc/passwd`. The production server is not affected by this vulnerability, as nginx's configuration sets `PATH_INFO` to `$document_uri`, which is normalized[^1] -- that is, by the time uwsgi and Django see it, the path has been percent-decoded once, and all `../` path components have been applied[^2]. Close this by explicitly normalizing the paths before comparing; the `LOCAL_UPLOADS_DIR` side is unlikely to require normalization as well, but is also normalized for consistency. The failure here is left as an assertion failure, and not a JsonableError, because it only affects the development server. [^1]: https://nginx.org/en/docs/http/ngx_http_core_module.html#var_uri [^2]: https://nginx.org/en/docs/http/ngx_http_core_module.html#location