From 1dd6d2d6dcf6b9c8ae3fd4d1905383453adc02a4 Mon Sep 17 00:00:00 2001
From: "Maarten A. Breddels" <maartenbreddels@gmail.com>
Date: Tue, 3 Sep 2024 13:41:10 +0200
Subject: [PATCH] fix: resolve directory before appending filename

We did the order wrong, causing the security measure to think the
file was not a child of the directory that was allowed to serve.

This happens in pyinstaller for OSX, where some files in
/Contents/Resources link to files in /Contents/Frameworks.
---
 .github/workflows/test.yaml                 | 4 ++--
 pyinstaller/embedded_browser/solara-qt.spec | 2 +-
 solara/server/starlette.py                  | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 8894bc6ae..500ea9f2e 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -341,7 +341,7 @@ jobs:
         # only 1 version, it's heavy
         python-version: ["3.10"]
     env:
-      LOCK_FILE_LOCATION: .ci-package-locks/qt/os${{ matrix.os }}-python${{ matrix.python-version }}.txt
+      LOCK_FILE_LOCATION: .ci-package-locks/qt-test/os${{ matrix.os }}-python${{ matrix.python-version }}.txt
     steps:
       - uses: ConorMacBride/install-package@v1
         with:
@@ -391,6 +391,7 @@ jobs:
         if: github.event_name == 'schedule' || steps.prepare.outputs.LOCKS_EXIST == 'false'
         id: install_no_lock
         run: |
+          mkdir -p .ci-package-locks/qt-test
           pip install pyside6 qtpy pyinstaller
           pip install `echo dist/*.whl`[all]
           pip install `echo packages/solara-server/dist/*.whl`[all]
@@ -399,7 +400,6 @@ jobs:
           git diff --exit-code | tee ${{ env.DIFF_FILE_LOCATION }}
           [ -s ${{ env.DIFF_FILE_LOCATION }} ] || echo "HAS_DIFF=true" >> "$GITHUB_OUTPUT"
 
-
       - name: Install
         if: github.event_name != 'schedule' && steps.prepare.outputs.LOCKS_EXIST == 'true'
         run: |
diff --git a/pyinstaller/embedded_browser/solara-qt.spec b/pyinstaller/embedded_browser/solara-qt.spec
index 2239e4ecc..a57f8d019 100644
--- a/pyinstaller/embedded_browser/solara-qt.spec
+++ b/pyinstaller/embedded_browser/solara-qt.spec
@@ -17,7 +17,7 @@ codesign_identity = os.environ.get("DEVELOPER_ID_APPLICATION")
 datas = [
     (Path(sys.prefix) / "share" / "jupyter", "./share/jupyter"),
     (Path(sys.prefix) / "etc" / "jupyter", "./etc/jupyter"),
-    ("test_pywebview.vue", "."),
+    ("render_test.vue", "."),
 ]
 
 block_cipher = None
diff --git a/solara/server/starlette.py b/solara/server/starlette.py
index 32a0d0370..2b0ead1d2 100644
--- a/solara/server/starlette.py
+++ b/solara/server/starlette.py
@@ -483,9 +483,9 @@ def get_directories(
     # from https://github.com/encode/starlette/pull/1377/files
     def lookup_path(self, path: str) -> typing.Tuple[str, typing.Optional[os.stat_result]]:
         for directory in self.all_directories:
+            directory = os.path.realpath(directory)
             original_path = os.path.join(directory, path)
             full_path = os.path.realpath(original_path)
-            directory = os.path.realpath(directory)
             # return early if someone tries to access a file outside of the directory
             if not path_is_child_of(Path(original_path), Path(directory)):
                 return "", None