fix: resolve directory before appending filename

We did the order wrong, causing the security measure to think the file was not a child of the directory that was allowed to serve. This happens in pyinstaller for OSX, where some files in /Contents/Resources link to files in /Contents/Frameworks.
widgetti · Sep 5, 2024 · ee42a8b · ee42a8b
1 parent 4686075
commit ee42a8b
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 5 deletions.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -341,7 +341,7 @@ jobs:
         # only 1 version, it's heavy
         python-version: ["3.10"]
     env:
-      LOCK_FILE_LOCATION: .ci-package-locks/qt/os${{ matrix.os }}-python${{ matrix.python-version }}.txt
+      LOCK_FILE_LOCATION: .ci-package-locks/qt-test/os${{ matrix.os }}-python${{ matrix.python-version }}.txt
     steps:
       - uses: ConorMacBride/install-package@v1
         with:
@@ -391,15 +391,17 @@ jobs:
         if: github.event_name == 'schedule' || steps.prepare.outputs.LOCKS_EXIST == 'false'
         id: install_no_lock
         run: |
-          pip install pyside6 qtpy pyinstaller
+          mkdir -p .ci-package-locks/qt-test
+          # see https://github.com/erocarrera/pefile/issues/420 for performance issues on
+          # windows for pefile == 2024.8.26
+          pip install pyside6 qtpy pyinstaller "pefile<2024.8.26"
           pip install `echo dist/*.whl`[all]
           pip install `echo packages/solara-server/dist/*.whl`[all]
           pip install `echo packages/solara-meta/dist/*.whl`[dev,documentation]
           pip freeze --exclude solara --exclude solara-ui --exclude solara-server > ${{ env.LOCK_FILE_LOCATION }}
           git diff --exit-code | tee ${{ env.DIFF_FILE_LOCATION }}
           [ -s ${{ env.DIFF_FILE_LOCATION }} ] || echo "HAS_DIFF=true" >> "$GITHUB_OUTPUT"
 
-
       - name: Install
         if: github.event_name != 'schedule' && steps.prepare.outputs.LOCKS_EXIST == 'true'
         run: |

diff --git a/pyinstaller/embedded_browser/solara-qt.spec b/pyinstaller/embedded_browser/solara-qt.spec
@@ -17,7 +17,7 @@ codesign_identity = os.environ.get("DEVELOPER_ID_APPLICATION")
 datas = [
     (Path(sys.prefix) / "share" / "jupyter", "./share/jupyter"),
     (Path(sys.prefix) / "etc" / "jupyter", "./etc/jupyter"),
-    ("test_pywebview.vue", "."),
+    ("render_test.vue", "."),
 ]
 
 block_cipher = None

diff --git a/solara/server/starlette.py b/solara/server/starlette.py
@@ -483,9 +483,9 @@ def get_directories(
     # from https://github.com/encode/starlette/pull/1377/files
     def lookup_path(self, path: str) -> typing.Tuple[str, typing.Optional[os.stat_result]]:
         for directory in self.all_directories:
+            directory = os.path.realpath(directory)
             original_path = os.path.join(directory, path)
             full_path = os.path.realpath(original_path)
-            directory = os.path.realpath(directory)
             # return early if someone tries to access a file outside of the directory
             if not path_is_child_of(Path(original_path), Path(directory)):
                 return "", None