From 4c21514018e6020e4a1a40579e37c7baab09274a Mon Sep 17 00:00:00 2001
From: Albert Cervera i Areny <albert@nan-tic.com>
Date: Wed, 3 Mar 2021 00:41:56 +0100
Subject: [PATCH] Add issue10068.diff.

---
 issue10068.diff | 41 +++++++++++++++++++++++++++++++++++++++++
 series          |  2 ++
 2 files changed, 43 insertions(+)
 create mode 100644 issue10068.diff

diff --git a/issue10068.diff b/issue10068.diff
new file mode 100644
index 0000000..997befb
--- /dev/null
+++ b/issue10068.diff
@@ -0,0 +1,41 @@
+--- a/trytond/trytond/wsgi.py
++++ b/trytond/trytond/wsgi.py
+@@ -4,6 +4,7 @@
+ import http.client
+ import logging
+ import os
++import posixpath
+ import sys
+ import traceback
+ import urllib.parse
+@@ -25,6 +26,10 @@
+ except ImportError:
+     from werkzeug.contrib.fixers import ProxyFix as NumProxyFix
+ try:
++    from werkzeug.security import safe_join
++except ImportError:
++    safe_join = posixpath.join
++try:
+     from werkzeug.middleware.shared_data import SharedDataMiddleware
+ except ImportError:
+     from werkzeug.wsgi import SharedDataMiddleware
+@@ -201,13 +206,14 @@
+     def get_directory_loader(self, directory):
+         def loader(path):
+             if path is not None:
+-                path = os.path.join(directory, path)
++                path = safe_join(directory, path)
+             else:
+                 path = directory
+-            if os.path.isdir(path):
+-                path = os.path.join(path, 'index.html')
+-            if os.path.isfile(path):
+-                return os.path.basename(path), self._opener(path)
++            if path is not None:
++                if os.path.isdir(path):
++                    path = posixpath.join(path, 'index.html')
++                if os.path.isfile(path):
++                    return os.path.basename(path), self._opener(path)
+             return None, None
+         return loader
+ 
diff --git a/series b/series
index bf75f18..c7c6983 100644
--- a/series
+++ b/series
@@ -63,3 +63,5 @@ issue8944.diff # [sale_shipment_cost] Prevent crash when duplicating a sale and
 account_asset.diff # [account_asset] permit update asset running without move yet.
 
 issue8834.diff # [account_payment_clearing] Party required when mark a payment succeed and counterpart account is required
+
+issue10068.diff # [trytond] Use safe_join in SharedDataMiddlewareIndex