[cfe-commits] r165815 - /cfe/trunk/tools/scan-view/ScanView.py

Matt Beaumont-Gay matthewbg at google.com
Fri Oct 12 13:49:42 PDT 2012


Comment from the peanut gallery: I'm totally unfamiliar with this
code, but this patch makes my hacker sense tingle. I can't immediately
come up with a way to break it, but I'd believe in this code more if
it called os.path.abspath and checked that the result has
self.server.root as a prefix.

On Fri, Oct 12, 2012 at 12:16 PM, Ted Kremenek <kremenek at apple.com> wrote:
> Author: kremenek
> Date: Fri Oct 12 14:16:31 2012
> New Revision: 165815
>
> URL: http://llvm.org/viewvc/llvm-project?rev=165815&view=rev
> Log:
> Have scan-view guard against serving up pages outside the root directory.
>
> Modified:
>     cfe/trunk/tools/scan-view/ScanView.py
>
> Modified: cfe/trunk/tools/scan-view/ScanView.py
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/scan-view/ScanView.py?rev=165815&r1=165814&r2=165815&view=diff
> ==============================================================================
> --- cfe/trunk/tools/scan-view/ScanView.py (original)
> +++ cfe/trunk/tools/scan-view/ScanView.py Fri Oct 12 14:16:31 2012
> @@ -707,6 +707,11 @@
>          return None
>
>      def send_path(self, path):
> +        # If the requested path is outside the root directory, do not open it
> +        rel = os.path.relpath(path, self.server.root)
> +        if rel.startswith(os.pardir + os.sep):
> +          return self.send_404()
> +
>          ctype = self.guess_type(path)
>          if ctype.startswith('text/'):
>              # Patch file instead
>
>
> _______________________________________________
> cfe-commits mailing list
> cfe-commits at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits



More information about the cfe-commits mailing list