[cfe-commits] r165815 - /cfe/trunk/tools/scan-view/ScanView.py
Matt Beaumont-Gay
matthewbg at google.com
Fri Oct 12 14:15:37 PDT 2012
LGTM
On Fri, Oct 12, 2012 at 2:13 PM, Ted Kremenek <kremenek at apple.com> wrote:
> Like this?
>
> + rel = os.path.abspath(os.path.join(self.server.root, path))
> + if not rel.startswith(os.path.abspath(self.server.root) ):
>
> On Oct 12, 2012, at 2:09 PM, Matt Beaumont-Gay <matthewbg at google.com> wrote:
>
>> On Fri, Oct 12, 2012 at 2:04 PM, Ted Kremenek <kremenek at apple.com> wrote:
>>> I'm not very familiar with Python, but would this do what you suggest:
>>>
>>> def send_path(self, path):
>>> # If the requested path is outside the root directory, do not open it
>>> - rel = os.path.relpath(path, self.server.root)
>>> - if rel.startswith(os.pardir + os.sep):
>>> + rel = os.path.abspath(os.path.relpath(path, self.server.root))
>>
>> The argument to abspath should be 'os.path.join(self.server.root,
>> path)', since the relpath would be interpreted relative to the server
>> process's cwd. LGTM otherwise.
>>
>>> + if not rel.startswith(os.path.abspath(self.server.root)):
>>> return self.send_404()
>>>
>>> On Oct 12, 2012, at 1:49 PM, Matt Beaumont-Gay <matthewbg at google.com> wrote:
>>>
>>>> Comment from the peanut gallery: I'm totally unfamiliar with this
>>>> code, but this patch makes my hacker sense tingle. I can't immediately
>>>> come up with a way to break it, but I'd believe in this code more if
>>>> it called os.path.abspath and checked that the result has
>>>> self.server.root as a prefix.
>>>>
>>>> On Fri, Oct 12, 2012 at 12:16 PM, Ted Kremenek <kremenek at apple.com> wrote:
>>>>> Author: kremenek
>>>>> Date: Fri Oct 12 14:16:31 2012
>>>>> New Revision: 165815
>>>>>
>>>>> URL: http://llvm.org/viewvc/llvm-project?rev=165815&view=rev
>>>>> Log:
>>>>> Have scan-view guard against serving up pages outside the root directory.
>>>>>
>>>>> Modified:
>>>>> cfe/trunk/tools/scan-view/ScanView.py
>>>>>
>>>>> Modified: cfe/trunk/tools/scan-view/ScanView.py
>>>>> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/scan-view/ScanView.py?rev=165815&r1=165814&r2=165815&view=diff
>>>>> ==============================================================================
>>>>> --- cfe/trunk/tools/scan-view/ScanView.py (original)
>>>>> +++ cfe/trunk/tools/scan-view/ScanView.py Fri Oct 12 14:16:31 2012
>>>>> @@ -707,6 +707,11 @@
>>>>> return None
>>>>>
>>>>> def send_path(self, path):
>>>>> + # If the requested path is outside the root directory, do not open it
>>>>> + rel = os.path.relpath(path, self.server.root)
>>>>> + if rel.startswith(os.pardir + os.sep):
>>>>> + return self.send_404()
>>>>> +
>>>>> ctype = self.guess_type(path)
>>>>> if ctype.startswith('text/'):
>>>>> # Patch file instead
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> cfe-commits mailing list
>>>>> cfe-commits at cs.uiuc.edu
>>>>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
>>>
>
More information about the cfe-commits
mailing list