WebKit/Application.py uses glob() to map URIs to a set of possible
matches in the file system. Note that glob() will pattern match against
the entire path, not just the base name. This allows clients
to effectively search the context file tree and retrieve
files that aren't referenced by any links, without
knowing the subdirectory name (e.g. http://host/context/*/index).
Of course, it's bad practice to put anything in context areas
that shouldn't be seen. Still, I doubt full path expansion was what
the author intended.
Here's a patch against today's CVS.
I added a couple of other security-related things while I was at it:
- support for ExtensionsToServe
- do not serve non-regular files
*** Application.py 2001/11/09 15:52:24 1.1
--- Application.py 2001/11/09 16:16:20
***************
*** 8,14 ****
from ServletFactory import *
from UnknownFileTypeServlet import UnknownFileTypeServletFactory
from types import FloatType
! from glob import glob
import Queue
import imp
import string
--- 8,14 ----
from ServletFactory import *
from UnknownFileTypeServlet import UnknownFileTypeServletFactory
from types import FloatType
! import re
import Queue
import imp
import string
***************
*** 102,107 ****
--- 102,112 ----
self._serverSideInfoCacheByPath = {}
self._cacheDictLock = Lock()
self._instanceCacheSize = self._server.setting('MaxServerThreads')
+ for attr in ['ExtensionsToServe', 'ExtensionsToIgnore']:
+ x = self.setting(attr, None)
+ if x:
+ x = re.compile('(' + '|'.join([re.escape(i) for i in
+x]) + ')$')
+ setattr(self, attr, x)
# Set up servlet factories
self._factoryList = [] # the list of factories
***************
*** 934,945 ****
Returns a list of all filenames with extensions existing for baseName,
but not including extension found in the setting ExtensionsToIgnore. This utility
method is used by serverSideInfoForRequest().
Example: '/a/b/c' could yield ['/a/b/c.py', '/a/b/c.html'], but will
never yield a '/a/b/c.pyc' filename since .pyc files are ignored.
'''
! filenames = glob(baseName+'.*')
! ignoreExts = self.setting('ExtensionsToIgnore')
! for i in range(len(filenames)):
! if os.path.splitext(filenames[i])[1] in ignoreExts: # @@
2000-06-22 ce: linear search
! filenames[i] = None
! filenames = filter(None, filenames)
if debug:
print '>> filenamesForBaseName(%s) returning %s' % (
repr(baseName), repr(filenames))
--- 939,953 ----
Returns a list of all filenames with extensions existing for baseName,
but not including extension found in the setting ExtensionsToIgnore. This utility
method is used by serverSideInfoForRequest().
Example: '/a/b/c' could yield ['/a/b/c.py', '/a/b/c.html'], but will
never yield a '/a/b/c.pyc' filename since .pyc files are ignored.
'''
! dir,base = os.path.split(baseName)
! S,I = self.ExtensionsToServe,self.ExtensionsToIgnore
! filenames = []
! for f in os.listdir(dir or os.curdir):
! b,e = os.path.splitext(f)
! if b == base and \
! (not S or S.match(e)) and \
! (not I or not I.match(e)):
! filenames.append(os.path.join(dir,f))
if debug:
print '>> filenamesForBaseName(%s) returning %s' % (
repr(baseName), repr(filenames))
***************
*** 1097,1103 ****
else:
print 'WARNING: For %s, did not get precisely 1
filename: %s' % (urlPath, filenames)
return None, None, None
! elif not os.path.exists(ssPath):
return None, None, None
self._serverSideInfoCacheByPath[urlPath] = ssPath, contextPath,
contextName
--- 1105,1111 ----
else:
print 'WARNING: For %s, did not get precisely 1
filename: %s' % (urlPath, filenames)
return None, None, None
! elif not os.path.isfile(ssPath):
return None, None, None
self._serverSideInfoCacheByPath[urlPath] = ssPath, contextPath,
contextName
_______________________________________________
Webware-discuss mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/webware-discuss
