fix: resolve directory before appending filename

We did the order wrong, causing the security measure to think the file was not a child of the directory that was allowed to serve. This happens in pyinstaller for OSX, where some files in /Contents/Resources link to files in /Contents/Frameworks.
widgetti · Sep 5, 2024 · 16ba7bf · 16ba7bf
1 parent 4686075
commit 16ba7bf
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/solara/server/starlette.py b/solara/server/starlette.py
@@ -483,9 +483,9 @@ def get_directories(
     # from https://github.com/encode/starlette/pull/1377/files
     def lookup_path(self, path: str) -> typing.Tuple[str, typing.Optional[os.stat_result]]:
         for directory in self.all_directories:
+            directory = os.path.realpath(directory)
             original_path = os.path.join(directory, path)
             full_path = os.path.realpath(original_path)
-            directory = os.path.realpath(directory)
             # return early if someone tries to access a file outside of the directory
             if not path_is_child_of(Path(original_path), Path(directory)):
                 return "", None