linaro-license-protection

Merge lp:~dooferlad/linaro-license-protection/bug1187726 into lp:~linaro-automation/linaro-license-protection/trunk

  1. bug1187726
  2. Merge into trunk
Proposed by James Tunnicliffe
Status: Merged
Merged at revision: 201
Proposed branch: lp:~dooferlad/linaro-license-protection/bug1187726
Merge into: lp:~linaro-automation/linaro-license-protection/trunk
Diff against target: 65 lines (+40/-1)
2 files modified
license_protected_downloads/tests/test_views.py (+18/-0)
license_protected_downloads/views.py (+22/-1)
To merge this branch: bzr merge lp:~dooferlad/linaro-license-protection/bug1187726
Reviewer Review Type Date Requested Status
Milo Casagrande (community) Approve
Review via email: mp+167505@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Milo Casagrande (milo) wrote :

Looks OK to me.
There is only one typo I guess:

+ """os.path.join with with check that result is inside base_path.

s/with with/with
In case, fix when merging.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'license_protected_downloads/tests/test_views.py'
--- license_protected_downloads/tests/test_views.py 2013-05-27 15:35:04 +0000
+++ license_protected_downloads/tests/test_views.py 2013-06-05 11:32:29 +0000
@@ -821,6 +821,24 @@
821 self.assertEqual(response.status_code, 200)821 self.assertEqual(response.status_code, 200)
822 self.assertContains(response, 'test CSS')822 self.assertContains(response, 'test CSS')
823823
824 def test_path_to_root(self):
825 response = self.client.get("http://testserver//", follow=True)
826
827 # Shouldn't be able to escape served paths...
828 self.assertEqual(response.status_code, 404)
829
830 def test_path_to_dir_above(self):
831 response = self.client.get("http://testserver/../", follow=True)
832
833 # Shouldn't be able to escape served paths...
834 self.assertEqual(response.status_code, 404)
835
836 def test_path_to_dir_above2(self):
837 response = self.client.get("http://testserver/..", follow=True)
838
839 # Shouldn't be able to escape served paths...
840 self.assertEqual(response.status_code, 404)
841
824842
825class HowtoViewTests(BaseServeViewTest):843class HowtoViewTests(BaseServeViewTest):
826 def test_no_howtos(self):844 def test_no_howtos(self):
827845
=== modified file 'license_protected_downloads/views.py'
--- license_protected_downloads/views.py 2013-06-04 18:50:56 +0000
+++ license_protected_downloads/views.py 2013-06-05 11:32:29 +0000
@@ -132,10 +132,31 @@
132 return listing132 return listing
133133
134134
135def safe_path_join(base_path, *paths):
136 """os.path.join with with check that result is inside base_path.
137
138 Checks that the generated path doesn't end up outside the target
139 directory, so server accesses stay where we expect them.
140 """
141
142 target_path = os.path.join(base_path, *paths)
143
144 if not target_path.startswith(base_path):
145 return None
146
147 if not os.path.normpath(target_path) == target_path.rstrip("/"):
148 return None
149
150 return target_path
151
152
135def test_path(path):153def test_path(path):
136154
137 for basepath in settings.SERVED_PATHS:155 for basepath in settings.SERVED_PATHS:
138 fullpath = os.path.join(basepath, path)156 fullpath = safe_path_join(basepath, path)
157 if fullpath is None:
158 return None
159
139 if os.path.isfile(fullpath):160 if os.path.isfile(fullpath):
140 return ("file", fullpath)161 return ("file", fullpath)
141 if os.path.isdir(fullpath):162 if os.path.isdir(fullpath):

Subscribers

People subscribed via source and target branches