[Zope-Checkins] CVS: Zope3/lib/python/Zope/Server/VFS - OSFileSystem.py:1.1.2.3
Stephan Richter
srichter@cbu.edu
Tue, 2 Apr 2002 13:13:06 -0500
Update of /cvs-repository/Zope3/lib/python/Zope/Server/VFS
In directory cvs.zope.org:/tmp/cvs-serv23618
Modified Files:
Tag: Zope3-Server-Branch
OSFileSystem.py
Log Message:
Issue 48: Comment
Here is the first cut of writing tests. Right now it tests only 2 methods
so far, but I keep working on it.
But now it is lunch time!
=== Zope3/lib/python/Zope/Server/VFS/OSFileSystem.py 1.1.2.2 => 1.1.2.3 ===
def normalize (self, path):
- # watch for the ever-sneaky '/+' path element
+ # watch for the ever-sneaky '/+' path element
path = re.sub('/+', '/', path)
- p = self.path_module.normpath (path)
- # remove 'dangling' cdup's.
- if len(p) > 2 and p[:3] == '/..':
- p = '/'
- return p
+ # Someone is trying to get lower than the permitted root.
+ # We just ignore it.
+ path = self.path_module.normpath(path)
+ if len(path) > 1 and path[:3] == '..':
+ path = '/'
+ elif len(path) > 2 and path[:3] == '../':
+ path = '/'
+ return path
def translate (self, path):
"""We need to join together three separate path components,
- and do it safely. <real_root>/<current_directory>/<path>
+ and do it safely. <real_root>/<path>
use the operating system's path separator.
- """
- path = os.sep.join('/'.split(path))
- p = self.normalize(self.path_module.join(self.wd, path))
- p = self.normalize(self.path_module.join(self.root, p[1:]))
- return p
+
+ We need to be extremly careful to include the cases where a hacker
+ could attempt to a directory below root!
+ """
+ # Normalize the directory
+ path = os.sep.join(path.split('/'))
+ path = self.normalize(self.path_module.join(path))
+ # Prepare for joining with root
+ if path[0] == '/':
+ path = path[1:]
+ # Join path with root
+ path = self.path_module.join(self.root, path)
+ return path
def __repr__ (self):