From a5ed4cf3e7f71996c9fa2fcdbcd3a0b3812f2cb2 Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Tue, 14 Oct 2025 16:54:57 +0530
Subject: [PATCH] fix(static_page): ensure that requested files are within
 app/www

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
---
 frappe/website/page_renderers/static_page.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/frappe/website/page_renderers/static_page.py b/frappe/website/page_renderers/static_page.py
index 53033d1c5a..651870966c 100644
--- a/frappe/website/page_renderers/static_page.py
+++ b/frappe/website/page_renderers/static_page.py
@@ -1,5 +1,6 @@
 import mimetypes
 import os
+from pathlib import Path
 
 from werkzeug.wrappers import Response
 from werkzeug.wsgi import wrap_file
@@ -34,9 +35,15 @@ class StaticPage(BaseRenderer):
 		if not self.is_valid_file_path():
 			return
 		for app in frappe.get_installed_apps():
-			file_path = frappe.get_app_path(app, "www") + "/" + self.path
-			if os.path.isfile(file_path) and is_binary_file(file_path):
-				self.file_path = file_path
+			app_path = Path(frappe.get_app_path(app, "www"))
+			requested_path = (app_path / self.path).resolve()
+			if (
+				requested_path.is_relative_to(app_path)
+				and requested_path.is_file()
+				and is_binary_file(requested_path)
+			):
+				self.file_path = requested_path
+				break
 
 	def can_render(self):
 		return self.is_valid_file_path() and self.file_path