linaro-license-protection

Merge lp:~dooferlad/linaro-license-protection/protect_hidden_files into lp:~linaro-automation/linaro-license-protection/trunk

protect_hidden_files
Merge into trunk

Proposed by James Tunnicliffe on 2012-08-22

Status:	Merged
Approved by:	Stevan Radaković on 2012-08-22
Approved revision:	109
Merged at revision:	108
Proposed branch:	lp:~dooferlad/linaro-license-protection/protect_hidden_files
Merge into:	lp:~linaro-automation/linaro-license-protection/trunk
Diff against target:	91 lines (+41/-2) 2 files modified license_protected_downloads/tests/test_views.py (+19/-0) license_protected_downloads/views.py (+22/-2)
To merge this branch:	bzr merge lp:~dooferlad/linaro-license-protection/protect_hidden_files
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Stevan Radaković		2012-08-22	Approve on 2012-08-22
Review via email: mp+120753@code.launchpad.net

lp:~dooferlad/linaro-license-protection/protect_hidden_files updated on 2012-08-22

109. By James Tunnicliffe on 2012-08-22: Added another test.

Revision history for this message

Stevan Radaković (stevanr) wrote on 2012-08-22:

Looks good, tests pass as well.
Approve +1

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

James Tunnicliffe

Linaro Infrastructure

 === modified file 'license_protected_downloads/tests/test_views.py'
 --- license_protected_downloads/tests/test_views.py	2012-08-20 15:41:26 +0000
 +++ license_protected_downloads/tests/test_views.py	2012-08-22 13:54:30 +0000
@@ -411,5 +411,24 @@
          # If a build-info file is invalid, we don't allow access
          self.assertEqual(response.status_code, 403)
++    def test_unable_to_download_hidden_files(self):
++        target_file = '~linaro-android/staging-vexpress-a9/OPEN-EULA.txt'
++        url = urlparse.urljoin("http://testserver/", target_file)
++        response = self.client.get(url, follow=True)
++
++        # This file exists, but isn't listed so we shouldn't be able to
++        # download it.
++        self.assertEqual(response.status_code, 404)
++
++    def test_dot_files_are_hidden(self):
++        target_file = 'open'
++        url = urlparse.urljoin("http://testserver/", target_file)
++        response = self.client.get(url, follow=True)
++
++        # the directory open contains .hidden.txt - we shouldn't be able to
++        # see it in the listing.
++        self.assertNotContains(response, ".hidden.txt")
++
++
  if __name__ == '__main__':
      unittest.main()
 === added directory 'license_protected_downloads/tests/testserver_root/open'
 === added file 'license_protected_downloads/tests/testserver_root/open/.hidden.txt'
 === added file 'license_protected_downloads/tests/testserver_root/open/OPEN-EULA.txt'
 === modified file 'license_protected_downloads/views.py'
 --- license_protected_downloads/views.py	2012-08-20 15:41:26 +0000
 +++ license_protected_downloads/views.py	2012-08-22 13:54:30 +0000
@@ -26,7 +26,7 @@
  def _hidden_file(file_name):
--    hidden_files = ["BUILD-INFO.txt", "EULA.txt", ".htaccess", "HEADER.html"]
++    hidden_files = ["BUILD-INFO.txt", "EULA.txt", r"^\.", "HEADER.html"]
      for pattern in hidden_files:
          if re.search(pattern, file_name):
              return True
@@ -34,7 +34,7 @@
  def _hidden_dir(file_name):
--    hidden_files = [".*openid.*", ".*restricted.*", ".*private.*"]
++    hidden_files = [".*openid.*", ".*restricted.*", ".*private.*", r"^\."]
      for pattern in hidden_files:
          if re.search(pattern, file_name):
              return True
@@ -246,6 +246,20 @@
      return redirect('/')
++def file_listed(path, url):
++    """Boolean response to "does this files show up in a directory listing."""
++    file_name = os.path.basename(path)
++    dir_name = os.path.dirname(path)
++
++    found = False
++    file_list = dir_list(url, dir_name)
++    for file in file_list:
++        if file["name"] == file_name:
++            found = True
++
++    return found
++
++
  def file_server(request, path):
      url = path
      result = test_path(path)
@@ -293,6 +307,12 @@
      file_name = os.path.basename(path)
++    # If the file listing doesn't contain the file requested for download,
++    # return a 404. This prevents the download of BUILD-INFO.txt and other
++    # hidden files.
++    if not file_listed(path, url):
++        raise Http404
++
      response = None
      if get_client_ip(request) in config.INTERNAL_HOSTS:
          digests = 'OPEN'
 === added directory 'sampleroot/open'
 === added file 'sampleroot/open/.hidden.txt'
 === added file 'sampleroot/open/OPEN-EULA.txt'

linaro-license-protection

Merge lp:~dooferlad/linaro-license-protection/protect_hidden_files into lp:~linaro-automation/linaro-license-protection/trunk

Commit message

Description of the change

Preview Diff

Subscribers