[cfe-commits] r165815 - /cfe/trunk/tools/scan-view/ScanView.py

Ted Kremenek kremenek at apple.com
Fri Oct 12 14:13:00 PDT 2012 

Like this?

+        rel = os.path.abspath(os.path.join(self.server.root, path))
+        if not rel.startswith(os.path.abspath(self.server.root) ):

On Oct 12, 2012, at 2:09 PM, Matt Beaumont-Gay <matthewbg at google.com> wrote:

> On Fri, Oct 12, 2012 at 2:04 PM, Ted Kremenek <kremenek at apple.com> wrote:
>> I'm not very familiar with Python, but would this do what you suggest:
>> 
>>     def send_path(self, path):
>>         # If the requested path is outside the root directory, do not open it
>> -        rel = os.path.relpath(path, self.server.root)
>> -        if rel.startswith(os.pardir + os.sep):
>> +        rel = os.path.abspath(os.path.relpath(path, self.server.root))
> 
> The argument to abspath should be 'os.path.join(self.server.root,
> path)', since the relpath would be interpreted relative to the server
> process's cwd. LGTM otherwise.
> 
>> +        if not rel.startswith(os.path.abspath(self.server.root)):
>>           return self.send_404()
>> 
>> On Oct 12, 2012, at 1:49 PM, Matt Beaumont-Gay <matthewbg at google.com> wrote:
>> 
>>> Comment from the peanut gallery: I'm totally unfamiliar with this
>>> code, but this patch makes my hacker sense tingle. I can't immediately
>>> come up with a way to break it, but I'd believe in this code more if
>>> it called os.path.abspath and checked that the result has
>>> self.server.root as a prefix.
>>> 
>>> On Fri, Oct 12, 2012 at 12:16 PM, Ted Kremenek <kremenek at apple.com> wrote:
>>>> Author: kremenek
>>>> Date: Fri Oct 12 14:16:31 2012
>>>> New Revision: 165815
>>>> 
>>>> URL: http://llvm.org/viewvc/llvm-project?rev=165815&view=rev
>>>> Log:
>>>> Have scan-view guard against serving up pages outside the root directory.
>>>> 
>>>> Modified:
>>>>   cfe/trunk/tools/scan-view/ScanView.py
>>>> 
>>>> Modified: cfe/trunk/tools/scan-view/ScanView.py
>>>> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/scan-view/ScanView.py?rev=165815&r1=165814&r2=165815&view=diff
>>>> ==============================================================================
>>>> --- cfe/trunk/tools/scan-view/ScanView.py (original)
>>>> +++ cfe/trunk/tools/scan-view/ScanView.py Fri Oct 12 14:16:31 2012
>>>> @@ -707,6 +707,11 @@
>>>>        return None
>>>> 
>>>>    def send_path(self, path):
>>>> +        # If the requested path is outside the root directory, do not open it
>>>> +        rel = os.path.relpath(path, self.server.root)
>>>> +        if rel.startswith(os.pardir + os.sep):
>>>> +          return self.send_404()
>>>> +
>>>>        ctype = self.guess_type(path)
>>>>        if ctype.startswith('text/'):
>>>>            # Patch file instead
>>>> 
>>>> 
>>>> _______________________________________________
>>>> cfe-commits mailing list
>>>> cfe-commits at cs.uiuc.edu
>>>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
>>

More information about the cfe-commits mailing list