fix(handlers): check certbot challenge

stapler/handlers.py

@@ -536,7 +536,7 @@ class RequestHandler(http.server.SimpleHTTPRequestHandler, BaseHandler):
         return True
 
     def _proxy_or_redirect(self) -> bool:
-        if self.has_token or self.path.startswith(self.CERTBOT_CHALLENGE_PATH):
+        if self.has_token or self._is_certbot_challenge(self.path):
             return False
         if (page := self.__get_page(self.path)) is None:
             return False
@@ -556,9 +556,14 @@ class RequestHandler(http.server.SimpleHTTPRequestHandler, BaseHandler):
         """Disable default directory listing."""
         self.send_error(http.HTTPStatus.NOT_FOUND, "File not found")
 
+    def _is_certbot_challenge(self, path: str) -> bool:
+        return path.startswith(self.CERTBOT_CHALLENGE_PATH) and pathlib.Path(
+            self.certbot_www + path
+        ).resolve().is_relative_to(self.certbot_www)
+
     @typing.override
     def translate_path(self, path: str) -> str:
-        if path.startswith(self.CERTBOT_CHALLENGE_PATH):
+        if self._is_certbot_challenge(path):
             return self.certbot_www + path
         page = self.__get_page(path)
         if page is None:
@@ -655,7 +660,7 @@ class UpgradeHandler(RequestHandler):
 
     def do_GET(self) -> None:
         with self.handle_errors():
-            if self.path.startswith(self.CERTBOT_CHALLENGE_PATH):
+            if self._is_certbot_challenge(self.path):
                 super().do_GET()
                 self.close_connection = True
             else: