Avoid malicious user path input (#1855)

Co-authored-by: jan iversen <[email protected]>
pymodbus-dev · Oct 26, 2023 · ba906c1 · ba906c1
1 parent 927fa4d
commit ba906c1
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/pymodbus/server/simulator/http_server.py b/pymodbus/server/simulator/http_server.py
@@ -259,7 +259,9 @@ async def handle_html_static(self, request):
         """Handle static html."""
         if not (page := request.path[1:]):
             page = "index.html"
-        file = os.path.join(self.web_path, page)
+        file = os.path.normpath(os.path.join(self.web_path, page))
+        if not file.startswith(self.web_path):
+            raise ValueError(f"File access outside {self.web_path} not permitted.")
         try:
             with open(file, encoding="utf-8"):
                 return web.FileResponse(file)