From 2530329ae2e7578595f3b2111818537febb62602 Mon Sep 17 00:00:00 2001
From: YanTong C <chyeyantong03@gmail.com>
Date: Wed, 15 Apr 2026 13:48:59 +0200
Subject: [PATCH] osmo-smdpp.py: use commonpath in transversal check

Use commonpath, as commonprefix allows accessing a sibiling directory
with the same prefix.

Change-Id: I7a42b40aa2bbcd5f0ec99f172503354c6eaa9828
---
 osmo-smdpp.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/osmo-smdpp.py b/osmo-smdpp.py
index d1d6fd75..2a8e4782 100755
--- a/osmo-smdpp.py
+++ b/osmo-smdpp.py
@@ -640,7 +640,7 @@ class SmDppHttpServer:
                 # look up profile based on matchingID.  We simply check if a given file exists for now..
                 path = os.path.join(self.upp_dir, matchingId) + '.der'
                 # prevent directory traversal attack
-                if os.path.commonprefix((os.path.realpath(path),self.upp_dir)) != self.upp_dir:
+                if os.path.commonpath((os.path.realpath(path),self.upp_dir)) != self.upp_dir:
                     raise ApiError('8.2.6', '3.8', 'Refused')
                 if not os.path.isfile(path) or not os.access(path, os.R_OK):
                     raise ApiError('8.2.6', '3.8', 'Refused')