I've attached the hg patch that fixes the notebook problem you've
been reporting. You can apply it with
hg_sage.apply('4585.patch')
followed by "sage -br" (which will take 10 minutes)..
Or, just wait for sage-2.5.4.
On 5/24/07, William Stein <[EMAIL PROTECTED]> wrote:
> On 5/24/07, Marshall Hampton <[EMAIL PROTECTED]> wrote:
> > Help! I was hoping to collaborate with someone using SAGE this week
> > via a notebook, and I can't unless I get this fixed.
> >
> > Because I was getting errors as described above, where the leading /
> > was missing on the path, I used a double // in my path for the
> > notebook, i.e. a command starting out as:
> >
> > notebook('//Users/mh/test', address = '131.
> >
> > etc.
> >
> > This gave me no errors, but the graphics still don't display! I don't
> > get it.
>
> I am now able to replicate this bug using the notebook
> you posted recently. This will get fixed for SAGE-2.5.4.
> However, as a temporary workaround, do the following:
> (1) start SAGE
> (2) cd to the directory that contains your notebook
> (3) Type notebook('MySAGE3')
>
> For example, I put your MySAGE3 on my Desktop. Then:
>
> sage: cd /Users/was/Desktop/
> /Users/was/Desktop
> sage: notebook('MySAGE3',username='was',password='was')
> ... now it works ...
>
> ---
>
> Many thanks for finding this bug and persistently reporting
> it. It is users like you that really help to improve the quality
> of SAGE. Thanks!
>
> -- William
>
>
> > M. Hampton
> >
> > On May 23, 11:07 am, Marshall Hampton <[EMAIL PROTECTED]> wrote:
> > > Stupid question: How do you directly load a .sobj file?
> > >
> > > This display problem seems to have actually gotten worse; now when I
> > > start up a brand-new notebook the problem appears right away.
> > > Upgrading to 2.5.3 didn't seem to help.
> > >
> > > In case it helps at all, I have created a record of my entire notebook
> > > directory at:
> > >
> > > http://www.d.umn.edu/~mhampton/MySAGE3.zip
> > >
> > > When I execute the only command:
> > >
> > > show(line(((1,0),(0,1))))
> > >
> > > the correct PNG file appears in the filesystem but nothing is
> > > displayed and I get the error (in the terminal):
> > >
> > > file not found [Errno 2] No such file or directory: 'Users/guest/
> > > MySAGE/MySAGE3/worksheets/_scratch_/cells/0/sage0.png'
> > > nomad66-243.d.umn.edu - - [23/May/2007 10:58:35] "GET /Users/guest/
> > > MySAGE/MySAGE3/worksheets/_scratch_/cells/0/sage0.png?1 HTTP/1.1" 404
> > > -
> > >
> > > So it seems that something is stripping the leading / from the path.
> > >
> > > I'm quite puzzled by this and as to how it could have gotten worse.
> > >
> > > -Marshall Hampton
> > >
> > > On May 18, 12:03 pm, "William Stein" <[EMAIL PROTECTED]> wrote:
> > >
> > > > On 5/18/07, Marshall Hampton <[EMAIL PROTECTED]> wrote:
> > >
> > > > > Well, yeah, I'm sure it was dumb - my first guess was that the units
> > > > > were pixels - but I think the interesting thing is the subsequent
> > > > > effect on the worksheet.
> > >
> > > > > I haven't found a simple reproducible version of my more serious,
> > > > > previous problem which corrupts the entire notebook. I have several
> > > > > worksheets that I would like to 'rescue' from that - how do I copy
> > > > > worksheets from one notebook to another? Can I just recursively copy
> > > > > the entire worksheet directory? I think I tried that once and it gave
> > > > > me problems.
> > >
> > > > The worksheet directory is -- unfortunately -- not what defines the
> > > > worksheet. Can you view the worksheet and click "edit"? If so, you
> > > > can then just paste the result into another edit of another worksheet
> > > > in a different notebook.
> > >
> > > > If this doesn't work for you, let me know. The notebook itself is
> > > > stored
> > > > in nb.sobj in the notebook directory, and one can directly recover a
> > > > lot from it by simply directly loading it from Python command line.
> > >
> > > > > While I am on the subject, I am wondering how to restore the sort
> > > > > of .sws files that one can save from the notebook.
> > >
> > > > Just open any worksheet, then click the upload button in the upper
> > > > right of the notebook. (Yes, I know it is stupid that you have to open
> > > > a worksheet in order to upload one.)
> > >
> > > > > Thanks,
> > > > > Marshall Hampton
> > >
> > > > > On May 17, 11:18 pm, "William Stein" <[EMAIL PROTECTED]> wrote:
> > > > > > On 5/17/07, Marshall Hampton <[EMAIL PROTECTED]> wrote:
> > >
> > > > > > > I have a more reproducible version of this bug. If you execute the
> > > > > > > following three commands in seperate cells, you should see the
> > > > > > > sort of
> > > > > > > problem I am having:
> > >
> > > > > > > show(line(((0,0),(1,1))))
> > >
> > > > > > > show(line(((0,0),(1,1))),figsize=[1280,800])
> > >
> > > > > > Gees -- that is crazy huge. A reasonable figsize would be
> > > > > > something like [8,5]. I think the units of figsize are something
> > > > > > like inches... You probably seriously exceeded the capacity
> > > > > > of SAGE/matplotlib or your browser by making such a large
> > > > > > figure.
> > >
> > > > > > > show(line(((0,0),(1,1))))
> > >
> > > > > > > The middle command generates an error - I was originally trying to
> > > > > > > resize a more complicated figure and this syntax must be wrong.
> > > > > > > But
> > > > > > > then the show command won't work at all. Unlike my previous
> > > > > > > problems,
> > > > > > > however, stopping and restarting sage will fix this, as will
> > > > > > > creating
> > > > > > > a new worksheet. I sense they related somehow though.
> > >
> > > > > > > M.Hampton
> > >
> > > > > > > On May 16, 8:42 pm, Marshall Hampton <[EMAIL PROTECTED]> wrote:
> > > > > > > > I copied/pasted it from the notebook, so its not a typo.
> > >
> > > > > > > > I opened it by navigating manually through the filesystem, but
> > > > > > > > the
> > > > > > > > address is correct (with the leading /).
> > >
> > > > > > > > I haven't had a problem of this type before, and I have done
> > > > > > > > some very
> > > > > > > > similar things. The trouble began when I was writing some
> > > > > > > > fairly
> > > > > > > > buggy code working on a PHCpack parser. The next time I have
> > > > > > > > access
> > > > > > > > to that machine (probably Friday) I will start a completely new
> > > > > > > > notebook, since perhaps my messed up worksheet somehow
> > > > > > > > 'infected' the
> > > > > > > > overall notebook (I did start new worksheets after the problems
> > > > > > > > started). I did quit out of sage and restart, but with the same
> > > > > > > > notebook command from my history.
> > >
> > > > > > > > Marshall
> > >
> > > > > > > > On May 16, 3:49 pm, "Justin C. Walker" <[EMAIL PROTECTED]>
> > > > > > > > wrote:
> > >
> > > > > > > > > On May 16, 2007, at 1:35 PM, Marshall Hampton wrote:
> > >
> > > > > > > > > > I am having trouble getting the show() command to work in
> > > > > > > > > > the
> > > > > > > > > > notebook. After the following commands:
> > >
> > > > > > > > > > sage: a = [[[0.0, -1.0], [0.0, 1.0]], [[0.0, 1.0], [0.0,
> > > > > > > > > > -1.0]]]
> > > > > > > > > > sage: pts3=[point((pt[0],pt[1])) for w1 in a for pt in w1]
> > > > > > > > > > sage: show(plot(pts3))
> > >
> > > > > > > > > > nothing happens. On the terminal display, it acts like the
> > > > > > > > > > PNG file
> > > > > > > > > > is not there:
> > >
> > > > > > > > > > file not found [Errno 2] No such file or directory:
> > > > > > > > > > 'Users/guest/
> > > > > > > > > > MySAGE/MySAGE/worksheets/test/cells/1/sage0.png'
> > > > > > > > > > nomad66-243.d.umn.edu - - [16/May/2007 15:27:33] "GET
> > > > > > > > > > /Users/guest/
> > > > > > > > > > MySAGE/MySAGE/worksheets/test/cells/1/sage0.png?1 HTTP/1.1"
> > > > > > > > > > 404 -
> > >
> > > > > > > > > It's odd that the two lines have slightly different filenames
> > > > > > > > > (no
> > > > > > > > > leading "/" in the first one). Did you type this or
> > > > > > > > > copy/paste?
> > > > > > > > > It's a silly question, but it helps to rule out some things
> > > > > > > > > (and you
> > > > > > > > > deserve an award of some type if you did type it in :-})
> > >
> > > > > > > > > Could be quirk of the logging function, or it could be an
> > > > > > > > > explanation...
> > >
> > > > > > > > > The above works fine on my Mac (which doesn't help, of
> > > > > > > > > course). No
> > > > > > > > > spaces in the name, it appears.
> > >
> > > > > > > > > Did you try opening the file by copy/pasting the name from
> > > > > > > > > the log to
> > > > > > > > > the terminal?
> > >
> > > > > > > > > Justin
> > >
> > > > > > > > > --
> > > > > > > > > Justin C. Walker, Curmudgeon-at-Large
> > > > > > > > > () The ASCII Ribbon Campaign
> > > > > > > > > /\ Help Cure HTML Email
> > >
> > > > > > --
> > > > > > William Stein
> > > > > > Associate Professor of Mathematics
> > > > > > University of Washingtonhttp://www.williamstein.org
> > >
> > > > --
> > > > William Stein
> > > > Associate Professor of Mathematics
> > > > University of Washingtonhttp://www.williamstein.org
> >
> >
> > > >
> >
>
>
> --
> William Stein
> Associate Professor of Mathematics
> University of Washington
> http://www.williamstein.org
>
--
William Stein
Associate Professor of Mathematics
University of Washington
http://www.williamstein.org
--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/sage-support
URLs: http://sage.math.washington.edu/sage/ and http://sage.scipy.org/sage/
-~----------~----~----~----~------~----~------~--~---
# HG changeset patch
# User [EMAIL PROTECTED]
# Date 1180045021 25200
# Node ID e184578c0da9713ed82a89cad52dce2baa3121af
# Parent fca9124e9024936c5a5171ee0c94276aa1bd732f
Fix a bug involving notebook paths that Marshall Hampton repeatedly clearly reported; also improve the security of the notebook server by not allowing get requests to grab arbitrary files.
diff -r fca9124e9024 -r e184578c0da9 sage/server/notebook/notebook.py
--- a/sage/server/notebook/notebook.py Tue May 22 19:02:56 2007 -0700
+++ b/sage/server/notebook/notebook.py Thu May 24 15:17:01 2007 -0700
@@ -1569,6 +1569,12 @@ def notebook(dir ='sage_notebook
import worksheet
worksheet.init_sage_prestart()
+
+ if '/' in dir:
+ # change current working directory and make the notebook
+ # directory a subdirectory of the working directory.
+ base, dir = os.path.split(dir)
+ os.chdir(base)
if restart_on_crash:
# Start a new subprocess
diff -r fca9124e9024 -r e184578c0da9 sage/server/notebook/server.py
--- a/sage/server/notebook/server.py Tue May 22 19:02:56 2007 -0700
+++ b/sage/server/notebook/server.py Thu May 24 15:17:01 2007 -0700
@@ -87,6 +87,18 @@ SAGE_ROOT = os.environ['SAGE_ROOT']
SAGE_ROOT = os.environ['SAGE_ROOT']
static_images = ['favicon.ico', 'corner.png', 'evaluate.png', 'evaluate_over.png', 'sagelogo.png']
+
+def safe_path(path):
+ """
+ Return a safe version of the given path, i.e., a relative path with no ..'s.
+ The idea is to make it so the server can't just easily return arbitrary files
+ that it has access to. Of course, right now in SAGE one can execute a command
+ in a cell that uses os.system to look at anything. But in the future the
+ subcommands will be run in a sandbox themselves, so protecting the server
+ is still relevant.
+ """
+ return path.lstrip('/').replace('..','dotdot_not_allowed')
+
class WebServer(BaseHTTPServer.BaseHTTPRequestHandler):
@@ -487,7 +499,7 @@ class WebServer(BaseHTTPServer.BaseHTTPR
if i == -1:
return self.file_not_found(path)
filename = path[i+1:]
- file = open('%s/devel/sage/sage/%s'%(SAGE_ROOT,filename)).read()
+ file = open('%s/devel/sage/sage/%s'%(SAGE_ROOT,safe_path(filename))).read()
file = file.replace('<','<')
s = """
<html>
@@ -548,8 +560,7 @@ x.innerHTML = prettyPrintOne(x.innerHTML
# file
# file_name is the name of the file requested
doc_path = os.path.abspath(os.environ['SAGE_ROOT'] + '/doc/')
- print doc_path
- file = open(doc_path + full_path + file_name,'r')
+ file = open(doc_path + '/' + safe_path(full_path + file_name),'r')
doc_page_html = file.read()
file.close()
docProcessStart = time.time()
@@ -704,7 +715,7 @@ x.innerHTML = prettyPrintOne(x.innerHTML
self.send_response(200)
self.send_header("Content-type", 'application/sage')
self.end_headers()
- binfile = open('%s/%s.sws'%(notebook.directory(), filename), 'rb').read()
+ binfile = open('%s/%s.sws'%(notebook.directory(), safe_path(filename)), 'rb').read()
f = StringIO()
f.write(binfile)
f.seek(0)
@@ -726,16 +737,14 @@ x.innerHTML = prettyPrintOne(x.innerHTML
If the path matches none of the strings,
then a '200 File Not Found' error is return.
-
- This function could be cleaned up?
"""
compressed = False
path = self.path.replace('%20',' ')
- if path[-5:] == '.sobj':
+ if path.endswith('.sobj'):
path = '%s/%s'%(os.path.abspath(notebook.object_directory()), path)
else:
- path = path[1:]
- if path[-5:] == '.html' and not '/' in path and not '/jsmath' in path and not '/highlight' in path:
+ path = safe_path(path)
+ if path.endswith('.html') and not '/' in path and not '/jsmath' in path and not '/highlight' in path:
worksheet_filename = path[:-5]
if worksheet_filename == '__history__':
self.input_history_text()
@@ -759,7 +768,7 @@ x.innerHTML = prettyPrintOne(x.innerHTML
self.wfile.write(self.robots())
return
- elif path[-4:] == '.sws':
+ elif path.endswith('.sws'):
worksheet_filename = path[:-4]
self.download_worksheet(worksheet_filename)
@@ -803,7 +812,7 @@ x.innerHTML = prettyPrintOne(x.innerHTML
binfile = self.image(path)
elif path[:7] == 'jsmath/' or path[:10] == 'highlight/':
binfile = open(SAGE_EXTCODE + "/notebook/javascript/" + path, 'rb').read()
- else:
+ else:
binfile = open(path, 'rb').read()
except IOError, msg:
print 'file not found', msg
@@ -1075,6 +1084,7 @@ x.innerHTML = prettyPrintOne(x.innerHTML
self._images = {}
return self.image(filename)
except KeyError:
+ filename = safe_path(filename)
self._images[filename] = open(SAGE_EXTCODE +
'/notebook/images/' + filename, 'rb').read()
return self._images[filename]
