diff --git a/starlette/staticfiles.py b/starlette/staticfiles.py
index 746e740e0..34be04cdc 100644
--- a/starlette/staticfiles.py
+++ b/starlette/staticfiles.py
@@ -156,9 +156,8 @@ def lookup_path(self, path: str) -> tuple[str, os.stat_result | None]:
else:
full_path = os.path.realpath(joined_path)
directory = os.path.realpath(directory)
- if os.path.commonpath([full_path, directory]) != directory:
- # Don't allow misbehaving clients to break out of the static files
- # directory.
+ if os.path.commonpath([full_path, directory]) != str(directory):
+ # Don't allow misbehaving clients to break out of the static files directory.
continue
try:
return full_path, os.stat(full_path)
diff --git a/tests/test_staticfiles.py b/tests/test_staticfiles.py
index b4f131719..2c5e7e2df 100644
--- a/tests/test_staticfiles.py
+++ b/tests/test_staticfiles.py
@@ -576,16 +576,15 @@ def test_staticfiles_avoids_path_traversal(tmp_path: Path) -> None:
assert exc_info.value.detail == "Not Found"
-def test_staticfiles_self_symlinks(tmpdir: Path, test_client_factory: TestClientFactory) -> None:
- statics_path = os.path.join(tmpdir, "statics")
- os.mkdir(statics_path)
+def test_staticfiles_self_symlinks(tmp_path: Path, test_client_factory: TestClientFactory) -> None:
+ statics_path = tmp_path / "statics"
+ statics_path.mkdir()
- source_file_path = os.path.join(statics_path, "index.html")
- with open(source_file_path, "w") as file:
- file.write("Hello
")
+ source_file_path = statics_path / "index.html"
+ source_file_path.write_text("Hello
", encoding="utf-8")
- statics_symlink_path = os.path.join(tmpdir, "statics_symlink")
- os.symlink(statics_path, statics_symlink_path)
+ statics_symlink_path = tmp_path / "statics_symlink"
+ statics_symlink_path.symlink_to(statics_path)
app = StaticFiles(directory=statics_symlink_path, follow_symlink=True)
client = test_client_factory(app)