use twisted.web.static, not nevow.static, for public_html/

This avoids a privacy leak when the web.static= directory is configured
but doesn't exist (which is almost always, since we set `web.static =
public_html` in the default config file, but nothing automatically
creates it). The nevow.static.File class tries to os.stat() the
directory before doing anything else, which causes an exception, which
renders the traceback to the HTTP client as a 500 Internal Server Error,
and the traceback includes the full path of the missing public_html
directory, which reveals the node's basedir.

Plain twisted.web.static.File doesn't do this check, and a missing
web.static directory just results in a plain old 404.

Closes ticket:1720.

src/allmydata/test/test_web.py

@@ -4440,6 +4440,17 @@ class Web(WebMixin, WebErrorMixin, testutil.StallMixin, testutil.ReallyEqualMixi
         d.addCallback(_check)
         return d
 
+    def test_static_missing(self):
+        # self.staticdir does not exist yet, because we used self.mktemp()
+        d = self.assertFailure(self.GET("/static"), error.Error)
+        # nevow.static throws an exception when it tries to os.stat the
+        # missing directory, which gives the client a 500 Internal Server
+        # Error, and the traceback reveals the parent directory name. By
+        # switching to plain twisted.web.static, this gives a normal 404 that
+        # doesn't reveal anything. This addresses #1720.
+        d.addCallback(lambda e: self.assertEquals(str(e), "404 Not Found"))
+        return d
+
 
 class IntroducerWeb(unittest.TestCase):
     def setUp(self):

src/allmydata/webish.py

@@ -1,8 +1,8 @@
 import re, time
 from twisted.application import service, strports, internet
-from twisted.web import http
+from twisted.web import http, static
 from twisted.internet import defer
-from nevow import appserver, inevow, static
+from nevow import appserver, inevow
 from allmydata.util import log, fileutil
 
 from allmydata.web import introweb, root