linaro-license-protection

Merge lp:~dooferlad/linaro-license-protection/bug1187726 into lp:~linaro-automation/linaro-license-protection/trunk

  1. bug1187726
  2. Merge into trunk
Proposed by James Tunnicliffe
Status: Merged
Merged at revision: 201
Proposed branch: lp:~dooferlad/linaro-license-protection/bug1187726
Merge into: lp:~linaro-automation/linaro-license-protection/trunk
Diff against target: 65 lines (+40/-1)
2 files modified
license_protected_downloads/tests/test_views.py (+18/-0)
license_protected_downloads/views.py (+22/-1)
To merge this branch: bzr merge lp:~dooferlad/linaro-license-protection/bug1187726
Reviewer Review Type Date Requested Status
Milo Casagrande (community) Approve
Review via email: mp+167505@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Milo Casagrande (milo) wrote :

Looks OK to me.
There is only one typo I guess:

+ """os.path.join with with check that result is inside base_path.

s/with with/with
In case, fix when merging.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'license_protected_downloads/tests/test_views.py'
2--- license_protected_downloads/tests/test_views.py 2013-05-27 15:35:04 +0000
3+++ license_protected_downloads/tests/test_views.py 2013-06-05 11:32:29 +0000
4@@ -821,6 +821,24 @@
5 self.assertEqual(response.status_code, 200)
6 self.assertContains(response, 'test CSS')
7
8+ def test_path_to_root(self):
9+ response = self.client.get("http://testserver//", follow=True)
10+
11+ # Shouldn't be able to escape served paths...
12+ self.assertEqual(response.status_code, 404)
13+
14+ def test_path_to_dir_above(self):
15+ response = self.client.get("http://testserver/../", follow=True)
16+
17+ # Shouldn't be able to escape served paths...
18+ self.assertEqual(response.status_code, 404)
19+
20+ def test_path_to_dir_above2(self):
21+ response = self.client.get("http://testserver/..", follow=True)
22+
23+ # Shouldn't be able to escape served paths...
24+ self.assertEqual(response.status_code, 404)
25+
26
27 class HowtoViewTests(BaseServeViewTest):
28 def test_no_howtos(self):
29
30=== modified file 'license_protected_downloads/views.py'
31--- license_protected_downloads/views.py 2013-06-04 18:50:56 +0000
32+++ license_protected_downloads/views.py 2013-06-05 11:32:29 +0000
33@@ -132,10 +132,31 @@
34 return listing
35
36
37+def safe_path_join(base_path, *paths):
38+ """os.path.join with with check that result is inside base_path.
39+
40+ Checks that the generated path doesn't end up outside the target
41+ directory, so server accesses stay where we expect them.
42+ """
43+
44+ target_path = os.path.join(base_path, *paths)
45+
46+ if not target_path.startswith(base_path):
47+ return None
48+
49+ if not os.path.normpath(target_path) == target_path.rstrip("/"):
50+ return None
51+
52+ return target_path
53+
54+
55 def test_path(path):
56
57 for basepath in settings.SERVED_PATHS:
58- fullpath = os.path.join(basepath, path)
59+ fullpath = safe_path_join(basepath, path)
60+ if fullpath is None:
61+ return None
62+
63 if os.path.isfile(fullpath):
64 return ("file", fullpath)
65 if os.path.isdir(fullpath):

Subscribers

People subscribed via source and target branches