tornado 4.2.1 security update breaks tornado_xstatic

[mgmarino]

Recent updates to tornado break the tornado_xstatic service (due to the use of root='/'), see tornadoweb/tornado@ecb3ea7 . The security update has the (intended or unintended?) effect that root='/' is no longer possible.

Basically, os.path.sep is now appended to root, meaning that the subsequent check fails. Typical failure message:

WARNING:tornado.general:403 GET /xstatic/termjs/term.js?v=a1c04b2327100ce4f16e3d96cf92035b (::1): termjs/term.js is not in root static directory

Perhaps the root can be defined using xstatic.__path__[0] (which would need to be subsequently stripped in _get_xstatic_data_dir)? Shouldn't all xstatic packages be located under this?

[takluyver]

That's annoying. XStatic is a namespace package, which means that different parts may be installed in different locations. I'll see what's possible.

[liudonghua123]

I also have this problems, and finally I fixed it via #4.