From b234504b495075ed218d7a89d5ed2280a85cb590 Mon Sep 17 00:00:00 2001 From: klemek Date: Tue, 2 Jun 2026 22:25:17 +0200 Subject: [PATCH] fix(handlers): check certbot challenge --- stapler/handlers.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/stapler/handlers.py b/stapler/handlers.py index 7a1913a..8575c00 100644 --- a/stapler/handlers.py +++ b/stapler/handlers.py @@ -536,7 +536,7 @@ class RequestHandler(http.server.SimpleHTTPRequestHandler, BaseHandler): return True def _proxy_or_redirect(self) -> bool: - if self.has_token or self.path.startswith(self.CERTBOT_CHALLENGE_PATH): + if self.has_token or self._is_certbot_challenge(self.path): return False if (page := self.__get_page(self.path)) is None: return False @@ -556,9 +556,14 @@ class RequestHandler(http.server.SimpleHTTPRequestHandler, BaseHandler): """Disable default directory listing.""" self.send_error(http.HTTPStatus.NOT_FOUND, "File not found") + def _is_certbot_challenge(self, path: str) -> bool: + return path.startswith(self.CERTBOT_CHALLENGE_PATH) and pathlib.Path( + self.certbot_www + path + ).resolve().is_relative_to(self.certbot_www) + @typing.override def translate_path(self, path: str) -> str: - if path.startswith(self.CERTBOT_CHALLENGE_PATH): + if self._is_certbot_challenge(path): return self.certbot_www + path page = self.__get_page(path) if page is None: @@ -655,7 +660,7 @@ class UpgradeHandler(RequestHandler): def do_GET(self) -> None: with self.handle_errors(): - if self.path.startswith(self.CERTBOT_CHALLENGE_PATH): + if self._is_certbot_challenge(self.path): super().do_GET() self.close_connection = True else: