From 4aa3cd97010d0597f3b6eaa8970f8db18c4c35bd Mon Sep 17 00:00:00 2001
From: Egor Tensin <Egor.Tensin@gmail.com>
Date: Sat, 6 Mar 2021 01:01:23 +0300
Subject: server.py: only run from the script's directory

---
 server.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/server.py b/server.py
index d5a0f35..6052b06 100755
--- a/server.py
+++ b/server.py
@@ -10,6 +10,7 @@
 
 import argparse
 import http.server
+import os
 import sys
 
 from app import Request
@@ -18,6 +19,10 @@ from app import Request
 DEFAULT_PORT = 18101
 
 
+def script_dir():
+    return os.path.dirname(os.path.realpath(__file__))
+
+
 class RequestHandler(http.server.SimpleHTTPRequestHandler):
     def do_GET(self):
         try:
@@ -44,6 +49,9 @@ def parse_args(args=None):
 
 
 def main(args=None):
+    # It's a failsafe; this script is only allowed to serve the directory it
+    # resides in.
+    os.chdir(script_dir())
     args = parse_args(args)
     addr = ('', args.port)
     httpd = http.server.ThreadingHTTPServer(addr, RequestHandler)
-- 
cgit v1.2.3