Avoid malicious user path input (#1855)

Co-authored-by: jan iversen <[email protected]>

Author: alexrudd2

pymodbus/server/simulator/http_server.py

@@ -259,7 +259,9 @@ async def handle_html_static(self, request):
         """Handle static html."""
         if not (page := request.path[1:]):
             page = "index.html"
-        file = os.path.join(self.web_path, page)
+        file = os.path.normpath(os.path.join(self.web_path, page))
+        if not file.startswith(self.web_path):
+            raise ValueError(f"File access outside {self.web_path} not permitted.")
         try:
             with open(file, encoding="utf-8"):
                 return web.FileResponse(file)