From: Marcelo Trylesinski <marcelotryle@gmail.com>
Date: Fri, 24 Jan 2025 11:13:42 +0000 (+0100)
Subject: Turn directory into string on `lookup_path` on commonpath comparison (#2851)
X-Git-Tag: 0.45.3~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f137494160fad01f75ae54b8867ecc8f762bc118;p=thirdparty%2Fstarlette.git

Turn directory into string on `lookup_path` on commonpath comparison (#2851)

* Turn directory into string on `lookup_path` on commonpath comparison

* remove str cast complication
---

diff --git a/starlette/staticfiles.py b/starlette/staticfiles.py
index 746e740e..34be04cd 100644
--- a/starlette/staticfiles.py
+++ b/starlette/staticfiles.py
@@ -156,9 +156,8 @@ class StaticFiles:
             else:
                 full_path = os.path.realpath(joined_path)
                 directory = os.path.realpath(directory)
-            if os.path.commonpath([full_path, directory]) != directory:
-                # Don't allow misbehaving clients to break out of the static files
-                # directory.
+            if os.path.commonpath([full_path, directory]) != str(directory):
+                # Don't allow misbehaving clients to break out of the static files directory.
                 continue
             try:
                 return full_path, os.stat(full_path)
diff --git a/tests/test_staticfiles.py b/tests/test_staticfiles.py
index b4f13171..2c5e7e2d 100644
--- a/tests/test_staticfiles.py
+++ b/tests/test_staticfiles.py
@@ -576,16 +576,15 @@ def test_staticfiles_avoids_path_traversal(tmp_path: Path) -> None:
     assert exc_info.value.detail == "Not Found"
 
 
-def test_staticfiles_self_symlinks(tmpdir: Path, test_client_factory: TestClientFactory) -> None:
-    statics_path = os.path.join(tmpdir, "statics")
-    os.mkdir(statics_path)
+def test_staticfiles_self_symlinks(tmp_path: Path, test_client_factory: TestClientFactory) -> None:
+    statics_path = tmp_path / "statics"
+    statics_path.mkdir()
 
-    source_file_path = os.path.join(statics_path, "index.html")
-    with open(source_file_path, "w") as file:
-        file.write("<h1>Hello</h1>")
+    source_file_path = statics_path / "index.html"
+    source_file_path.write_text("<h1>Hello</h1>", encoding="utf-8")
 
-    statics_symlink_path = os.path.join(tmpdir, "statics_symlink")
-    os.symlink(statics_path, statics_symlink_path)
+    statics_symlink_path = tmp_path / "statics_symlink"
+    statics_symlink_path.symlink_to(statics_path)
 
     app = StaticFiles(directory=statics_symlink_path, follow_symlink=True)
     client = test_client_factory(app)