improved router, thanks Jonathan

This commit is contained in:
mdipierro
2012-07-29 16:21:45 -05:00
parent 787c14436e
commit 86986b5ae1
5 changed files with 56 additions and 8 deletions
+1 -1
View File
@@ -1 +1 @@
Version 2.00.0 (2012-07-29 13:56:56) dev
Version 2.00.0 (2012-07-29 16:21:39) dev
+4 -3
View File
@@ -46,9 +46,9 @@ def _router_default():
domains = None,
exclusive_domain = False,
map_hyphen = False,
acfe_match = r'\w+$', # legal app/ctlr/fcn/ext
file_match = r'([-+=@$%\w]+[./]?)+$', # legal static file (path) name
args_match = r'([\w@ -]+[=.]?)*$', # legal arg in args
acfe_match = r'\w+$', # legal app/ctlr/fcn/ext
file_match = r'([-+=@$%\w]+[./]?)+$', # legal static subpath
args_match = r'([\w@ -]+[=.]?)*$', # legal arg in args
)
return router
@@ -966,6 +966,7 @@ class MapUrlIn(object):
for name in self.args:
bad_static = bad_static or name in ('', '.', '..') or not self.router._file_match.match(name)
if bad_static:
log_rewrite('bad static path=%s' % file)
raise HTTP(400, thread.routes.error_message % 'invalid request',
web2py_error='invalid static file')
#
+44
View File
@@ -13,6 +13,7 @@ if os.path.isdir('gluon'):
sys.path.append(os.path.realpath('gluon')) # running from web2py base
else:
sys.path.append(os.path.realpath('../')) # running from gluon/tests/
os.environ['web2py_path'] = os.path.realpath('../../') # for settings
from rewrite import load, filter_url, filter_err, get_effective_router, map_url_out
from html import URL
@@ -794,6 +795,49 @@ class TestRouter(unittest.TestCase):
self.assertEqual(filter_err(399), 399)
self.assertEqual(filter_err(400), 400)
def test_router_static_path(self):
'''
Test validation of static paths
Stock pattern: file_match = r'([-+=@$%\w]+[./]?)+$'
'''
load(rdict=dict())
self.assertEqual(filter_url('http://domain.com/welcome/static/path/to/static'), "%s/applications/welcome/static/path/to/static" % root)
self.assertRaises(HTTP, filter_url, 'http://domain.com/welcome/static/bad/path/to/st~tic')
self.assertEqual(filter_url('http://domain.com/welcome/static/path/to--/static'), "%s/applications/welcome/static/path/to--/static" % root)
self.assertEqual(filter_url('http://domain.com/welcome/static/path/==to--/static'), "%s/applications/welcome/static/path/==to--/static" % root)
self.assertEqual(filter_url('http://domain.com/welcome/static/path/-+=@$%/static'), "%s/applications/welcome/static/path/-+=@$%%/static" % root)
self.assertRaises(HTTP, filter_url, 'http://domain.com/welcome/static/bad/path/to/.static')
self.assertRaises(HTTP, filter_url, 'http://domain.com/welcome/static/bad/path/to/s..tatic')
self.assertRaises(HTTP, filter_url, 'http://domain.com/welcome/static/bad/path/to//static')
self.assertRaises(HTTP, filter_url, 'http://domain.com/welcome/static/bad/path/to/#static')
router_static = dict(
BASE = dict(
file_match = r'([-+=@$%#\w]+[./]?)+$', # legal static path
),
)
load(rdict=router_static)
self.assertEqual(filter_url('http://domain.com/welcome/static/path/to/#static'), "%s/applications/welcome/static/path/to/#static" % root)
router_static = dict(
BASE = dict(
file_match = r'[-+=@$%#.\w]+$', # legal static path element
),
)
load(rdict=router_static)
self.assertEqual(filter_url('http://domain.com/welcome/static/path/to/static'), "%s/applications/welcome/static/path/to/static" % root)
self.assertRaises(HTTP, filter_url, 'http://domain.com/welcome/static/bad/path/to/st~tic')
self.assertEqual(filter_url('http://domain.com/welcome/static/path/to--/static'), "%s/applications/welcome/static/path/to--/static" % root)
self.assertEqual(filter_url('http://domain.com/welcome/static/path/==to--/static'), "%s/applications/welcome/static/path/==to--/static" % root)
self.assertEqual(filter_url('http://domain.com/welcome/static/path/-+=@$%/static'), "%s/applications/welcome/static/path/-+=@$%%/static" % root)
self.assertRaises(HTTP, filter_url, 'http://domain.com/welcome/static/bad/path/to//static')
self.assertEqual(filter_url('http://domain.com/welcome/static/path/to/#static'), "%s/applications/welcome/static/path/to/#static" % root)
self.assertRaises(HTTP, filter_url, 'http://domain.com/welcome/static/bad/path/./static')
self.assertRaises(HTTP, filter_url, 'http://domain.com/welcome/static/bad/path/../static')
self.assertEqual(filter_url('http://domain.com/welcome/static/path/.../static'), "%s/applications/welcome/static/path/.../static" % root)
self.assertEqual(filter_url('http://domain.com/welcome/static/path/to/.static'), "%s/applications/welcome/static/path/to/.static" % root)
def test_router_args(self):
'''
Test URL args parsing/generation
+1
View File
@@ -13,6 +13,7 @@ if os.path.isdir('gluon'):
sys.path.append(os.path.realpath('gluon')) # running from web2py base
else:
sys.path.append(os.path.realpath('../')) # running from gluon/tests/
os.environ['web2py_path'] = os.path.realpath('../../') # for settings
from rewrite import load, filter_url, filter_err, get_effective_router, regex_filter_out, regex_select
from html import URL
+6 -4
View File
@@ -64,7 +64,9 @@
# map_static: By default, the default application is not stripped from static URLs.
# Set map_static=True to override this policy.
# acfe_match: regex for valid application, controller, function, extension /a/c/f.e
# file_match: regex for valid file (used for static file names)
# file_match: regex for valid subpath (used for static file paths)
# if file_match does not contain '/', it is uses to validate each element of a static file subpath,
# rather than the entire subpath.
# args_match: regex for valid args
# This validation provides a measure of security.
# If it is changed, the application perform its own validation.
@@ -84,9 +86,9 @@
# root_static = ['favicon.ico', 'robots.txt'],
# domains = None,
# map_hyphen = False,
# acfe_match = r'\w+$', # legal app/ctlr/fcn/ext
# file_match = r'(\w+[-=./]?)+$', # legal file (path) name
# args_match = r'([\w@ -]+[=.]?)+$', # legal arg in args
# acfe_match = r'\w+$', # legal app/ctlr/fcn/ext
# file_match = r'([-+=@$%\w]+[./]?)+$', # legal static subpath
# args_match = r'([\w@ -]+[=.]?)+$', # legal arg in args
# )
#
# See rewrite.map_url_in() and rewrite.map_url_out() for implementation details.