[PR aio-libs#12125/f049588a backport][3.13] Block absolute paths in static files (aio-libs#12128)

**This is a backport of PR aio-libs#12125 as merged into master
(f049588).**

Co-authored-by: Sam Bull <git@sambull.org>

Author: patchback[bot]

aiohttp/web_urldispatcher.py

@@ -676,6 +676,10 @@ def __iter__(self) -> Iterator[AbstractRoute]:
 
     async def _handle(self, request: Request) -> StreamResponse:
         filename = request.match_info["filename"]
+        if Path(filename).is_absolute():
+            # filename is an absolute path e.g. //network/share or D:\path
+            # which could be a UNC path leading to NTLM credential theft
+            raise HTTPNotFound()
         unresolved_path = self._directory.joinpath(filename)
         loop = asyncio.get_running_loop()
         return await loop.run_in_executor(