[cfe-commits] r165815 - /cfe/trunk/tools/scan-view/ScanView.py

Matt Beaumont-Gay matthewbg at google.com
Fri Oct 12 14:09:43 PDT 2012 

On Fri, Oct 12, 2012 at 2:04 PM, Ted Kremenek <kremenek at apple.com> wrote:
> I'm not very familiar with Python, but would this do what you suggest:
>
>      def send_path(self, path):
>          # If the requested path is outside the root directory, do not open it
> -        rel = os.path.relpath(path, self.server.root)
> -        if rel.startswith(os.pardir + os.sep):
> +        rel = os.path.abspath(os.path.relpath(path, self.server.root))

The argument to abspath should be 'os.path.join(self.server.root,
path)', since the relpath would be interpreted relative to the server
process's cwd. LGTM otherwise.

> +        if not rel.startswith(os.path.abspath(self.server.root)):
>            return self.send_404()
>
> On Oct 12, 2012, at 1:49 PM, Matt Beaumont-Gay <matthewbg at google.com> wrote:
>
>> Comment from the peanut gallery: I'm totally unfamiliar with this
>> code, but this patch makes my hacker sense tingle. I can't immediately
>> come up with a way to break it, but I'd believe in this code more if
>> it called os.path.abspath and checked that the result has
>> self.server.root as a prefix.
>>
>> On Fri, Oct 12, 2012 at 12:16 PM, Ted Kremenek <kremenek at apple.com> wrote:
>>> Author: kremenek
>>> Date: Fri Oct 12 14:16:31 2012
>>> New Revision: 165815
>>>
>>> URL: http://llvm.org/viewvc/llvm-project?rev=165815&view=rev
>>> Log:
>>> Have scan-view guard against serving up pages outside the root directory.
>>>
>>> Modified:
>>>    cfe/trunk/tools/scan-view/ScanView.py
>>>
>>> Modified: cfe/trunk/tools/scan-view/ScanView.py
>>> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/scan-view/ScanView.py?rev=165815&r1=165814&r2=165815&view=diff
>>> ==============================================================================
>>> --- cfe/trunk/tools/scan-view/ScanView.py (original)
>>> +++ cfe/trunk/tools/scan-view/ScanView.py Fri Oct 12 14:16:31 2012
>>> @@ -707,6 +707,11 @@
>>>         return None
>>>
>>>     def send_path(self, path):
>>> +        # If the requested path is outside the root directory, do not open it
>>> +        rel = os.path.relpath(path, self.server.root)
>>> +        if rel.startswith(os.pardir + os.sep):
>>> +          return self.send_404()
>>> +
>>>         ctype = self.guess_type(path)
>>>         if ctype.startswith('text/'):
>>>             # Patch file instead
>>>
>>>
>>> _______________________________________________
>>> cfe-commits mailing list
>>> cfe-commits at cs.uiuc.edu
>>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
>

More information about the cfe-commits mailing list