issues: 465728430

This data as json

id	node_id	number	title	user	state	locked	assignee	milestone	comments	created_at	updated_at	closed_at	author_association	pull_request	body	repo	type	active_lock_reason	performed_via_github_app	reactions	draft	state_reason
465728430	MDExOlB1bGxSZXF1ZXN0Mjk1NzExNTA0	554	Fix static mounts using relative paths and prevent traversal exploits	3243482	closed	0			4	2019-07-09T11:32:02Z	2019-07-11T16:29:26Z	2019-07-11T16:13:19Z	CONTRIBUTOR	simonw/datasette/pulls/554	While debugging why my static mounts using a relative path (`--static mystatic:rel/path/to/dir`) not working, I noticed that the requests fail no matter what, returning 404 errors. The reason is that datasette tries to prevent traversal exploits by checking if the path is relative to its registered directory. This check fails when the mount is a relative directory, because `/abs/dir/file` obviously not under `dir/file`. https://github.com/simonw/datasette/blob/81fa8b6cdc5457b42a224779e5291952314e8d20/datasette/utils/asgi.py#L303-L306 This also has the consequence of returning any requested file, because when `/abs/dir/../../evil.file` resolves `aiofiles` happily returns it to the client after it resolves the path itself. The solution is to make sure we're checking relativity of paths after they're fully resolved. I've implemented the mentioned changes and also updated the tests.	107914493	pull			{ "url": "https://api.github.com/repos/simonw/datasette/issues/554/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 }	0

Links from other tables

0 rows from issues_id in issues_labels
4 rows from issue in issue_comments