LGTM
On Fri, Oct 12, 2012 at 2:13 PM, Ted Kremenek <[email protected]> wrote: > Like this? > > + rel = os.path.abspath(os.path.join(self.server.root, path)) > + if not rel.startswith(os.path.abspath(self.server.root) ): > > On Oct 12, 2012, at 2:09 PM, Matt Beaumont-Gay <[email protected]> wrote: > >> On Fri, Oct 12, 2012 at 2:04 PM, Ted Kremenek <[email protected]> wrote: >>> I'm not very familiar with Python, but would this do what you suggest: >>> >>> def send_path(self, path): >>> # If the requested path is outside the root directory, do not open >>> it >>> - rel = os.path.relpath(path, self.server.root) >>> - if rel.startswith(os.pardir + os.sep): >>> + rel = os.path.abspath(os.path.relpath(path, self.server.root)) >> >> The argument to abspath should be 'os.path.join(self.server.root, >> path)', since the relpath would be interpreted relative to the server >> process's cwd. LGTM otherwise. >> >>> + if not rel.startswith(os.path.abspath(self.server.root)): >>> return self.send_404() >>> >>> On Oct 12, 2012, at 1:49 PM, Matt Beaumont-Gay <[email protected]> wrote: >>> >>>> Comment from the peanut gallery: I'm totally unfamiliar with this >>>> code, but this patch makes my hacker sense tingle. I can't immediately >>>> come up with a way to break it, but I'd believe in this code more if >>>> it called os.path.abspath and checked that the result has >>>> self.server.root as a prefix. >>>> >>>> On Fri, Oct 12, 2012 at 12:16 PM, Ted Kremenek <[email protected]> wrote: >>>>> Author: kremenek >>>>> Date: Fri Oct 12 14:16:31 2012 >>>>> New Revision: 165815 >>>>> >>>>> URL: http://llvm.org/viewvc/llvm-project?rev=165815&view=rev >>>>> Log: >>>>> Have scan-view guard against serving up pages outside the root directory. >>>>> >>>>> Modified: >>>>> cfe/trunk/tools/scan-view/ScanView.py >>>>> >>>>> Modified: cfe/trunk/tools/scan-view/ScanView.py >>>>> URL: >>>>> http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/scan-view/ScanView.py?rev=165815&r1=165814&r2=165815&view=diff >>>>> ============================================================================== >>>>> --- cfe/trunk/tools/scan-view/ScanView.py (original) >>>>> +++ cfe/trunk/tools/scan-view/ScanView.py Fri Oct 12 14:16:31 2012 >>>>> @@ -707,6 +707,11 @@ >>>>> return None >>>>> >>>>> def send_path(self, path): >>>>> + # If the requested path is outside the root directory, do not >>>>> open it >>>>> + rel = os.path.relpath(path, self.server.root) >>>>> + if rel.startswith(os.pardir + os.sep): >>>>> + return self.send_404() >>>>> + >>>>> ctype = self.guess_type(path) >>>>> if ctype.startswith('text/'): >>>>> # Patch file instead >>>>> >>>>> >>>>> _______________________________________________ >>>>> cfe-commits mailing list >>>>> [email protected] >>>>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits >>> > _______________________________________________ cfe-commits mailing list [email protected] http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
