Add disallowed_chars option to StaticRoute for custom filename filtering#2675
Open
zain-asif-dev wants to merge 3 commits into
Open
Conversation
CaselIT
requested changes
Jul 6, 2026
CaselIT
left a comment
Member
There was a problem hiding this comment.
thanks, change looks mostly fine.
Left a few suggestion and a question regarding impl, mainly for the other maintainers
Author
|
Good catch, those notes were written by me for this PR, not vytas. Re-attributed them to myself. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #2675 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 64 64
Lines 7985 7992 +7
Branches 1103 1105 +2
=========================================
+ Hits 7985 7992 +7 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
StaticRoute hard-codes a set of characters it refuses to serve, including the tilde. This breaks legitimate use cases such as files produced by build tools that include a tilde in the name (e.g. default~module.js from an Angular build), forcing users to either give up on falcon's static file serving or monkeypatch the private _DISALLOWED_CHARS_PATTERN attribute. Fixes falconry#1649. Added a disallowed_chars constructor parameter (and the matching add_static_route() argument) that overrides the set of extra characters to disallow, interpreted as the body of a regex character class. Passing None (the default) keeps the previous behavior via the newly public DEFAULT_DISALLOWED_CHARS attribute, and passing an empty string disables the extra check entirely. The NUL byte and the Unicode replacement character are always rejected regardless of this setting, since letting those through could result in surprising behavior. This matches the approach discussed in the issue: keep serving tilde files disallowed by default so this isn't a breaking change, but let callers opt into a different set of disallowed characters. Signed-off-by: Zain Asif <zainasif.jutt1@gmail.com>
Signed-off-by: Zain Asif <zainasif.jutt1@gmail.com>
Signed-off-by: Zain Asif <zainasif.jutt1@gmail.com>
32d8add to
f77a7bc
Compare
Author
|
Combined the two regex checks into one: the always-disallowed NUL byte and replacement character are now folded into _disallowed_chars_pattern at construction time, so match() only performs a single regex search. Also rebased onto latest master. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes #1649.
StaticRoutehard-codes the set of characters it refuses to serve via a private_DISALLOWED_CHARS_PATTERN, which includes the tilde (~). This breaks legitimate use cases such as serving build output that legitimately contains a tilde in the filename (e.g.default~module.jsfrom an Angular build), and the only workaround is monkeypatching a private attribute.As discussed in the issue, this keeps the default behavior unchanged (tilde and friends are still disallowed unless a caller opts out), and adds a way to configure the set of disallowed characters:
disallowed_charsparameter toStaticRoute.__init__(and, correspondingly, toApp.add_static_route()), which overrides the extra characters to disallow. It's interpreted as the body of a regex character class, matching how the existing pattern is built internally.None(the default) preserves the previous behavior.StaticRoute.DEFAULT_DISALLOWED_CHARS, so callers can build on top of it (e.g.DEFAULT_DISALLOWED_CHARS.replace('~', '')) instead of having to hand-write the full character list.\ufffd) are always rejected via a separate, non-configurable check, since letting those through could result in surprising or unsafe behavior.Testing
Added tests to
tests/test_static.py:test_disallowed_chars_default: passingNoneor the literal default string behaves the same as before (tilde still blocked).test_disallowed_chars_override: overridingdisallowed_charsto a narrower set of control-character ranges allows serving a file with a tilde in its name.test_disallowed_chars_override_still_blocks_nul_and_replacement_char: even with an emptydisallowed_charsoverride, the NUL byte and\ufffdare still rejected.test_add_static_route_disallowed_chars: exercises the new parameter throughApp.add_static_route()end to end via the test client.Ran the full existing
tests/test_static.pysuite (291 tests, including the 12 new ones) as well as the full test suite (4037 passed, 426 skipped, 1 pre-existing failure intest_asgi_servers.py::TestWebSocketunrelated to this change and reproducible on a clean checkout of master, likely due to awebsocketslibrary version mismatch in my local environment). Also ranruff check,ruff format --check, andmypyagainst the changed files, all clean.