Comment from the peanut gallery: I'm totally unfamiliar with this code, but this patch makes my hacker sense tingle. I can't immediately come up with a way to break it, but I'd believe in this code more if it called os.path.abspath and checked that the result has self.server.root as a prefix.
On Fri, Oct 12, 2012 at 12:16 PM, Ted Kremenek <[email protected]> wrote: > Author: kremenek > Date: Fri Oct 12 14:16:31 2012 > New Revision: 165815 > > URL: http://llvm.org/viewvc/llvm-project?rev=165815&view=rev > Log: > Have scan-view guard against serving up pages outside the root directory. > > Modified: > cfe/trunk/tools/scan-view/ScanView.py > > Modified: cfe/trunk/tools/scan-view/ScanView.py > URL: > http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/scan-view/ScanView.py?rev=165815&r1=165814&r2=165815&view=diff > ============================================================================== > --- cfe/trunk/tools/scan-view/ScanView.py (original) > +++ cfe/trunk/tools/scan-view/ScanView.py Fri Oct 12 14:16:31 2012 > @@ -707,6 +707,11 @@ > return None > > def send_path(self, path): > + # If the requested path is outside the root directory, do not open it > + rel = os.path.relpath(path, self.server.root) > + if rel.startswith(os.pardir + os.sep): > + return self.send_404() > + > ctype = self.guess_type(path) > if ctype.startswith('text/'): > # Patch file instead > > > _______________________________________________ > cfe-commits mailing list > [email protected] > http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits _______________________________________________ cfe-commits mailing list [email protected] http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
