dinislage/web2py
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed problem with raw_args

Browse Source
This commit is contained in:
mdipierro
2012-12-03 14:04:17 -06:00
parent cabe9603c2
commit fdf7d5661d
3 changed files with 25 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
VERSION
+1 -1
View File
@@ -1 +1 @@
Version 2.2.1 (2012-12-03 13:15:15) stable
Version 2.2.1 (2012-12-03 14:03:31) stable
gluon/rewrite.py
+20 -10
View File
@@ -55,7 +55,9 @@ regex_space = re.compile('(\+|\s|%20)+')
# file and args may also contain '-', '=', '.' and '/'
# apps in routes_apps_raw must parse raw_args into args
regex_url = re.compile('^/((?P<a>\w+)(/(?P<c>\w+)(/(?P<z>(?P<f>\w+)(\.(?P<e>[\w.]+))?(?P<s>[/\w@=-]*(\.[/\w@=-]+)*)))?)?)?$')
regex_url = re.compile('^/((?P<a>\w+)(/(?P<c>\w+)(/(?P<z>(?P<f>\w+)(\.(?P<e>[\w.]+))?(?P<s>.*)))?)?)?$')
regex_args = re.compile('^[/\w@=-]*(\.[/\w@=-]+)*$')
def _router_default():
"return new copy of default base router"
@@ -604,6 +606,10 @@ def regex_filter_in(e):
def sluggify(key):
return key.lower().replace('.', '_')
def invalid_url(routes):
raise HTTP(400,
routes.error_message % 'invalid request',
web2py_error='invalid path')
def regex_url_in(request, environ):
"rewrite and parse incoming URL"
@@ -631,18 +637,21 @@ def regex_url_in(request, environ):
path = path[:-1]
match = regex_url.match(path)
if not match:
raise HTTP(400,
routes.error_message % 'invalid request',
web2py_error='invalid path')
elif match.group('c') == 'static':
invalid_url(routes)
request.raw_args = (match.group('s') or '')
if request.raw_args.startswith('/'):
request.raw_args = request.raw_args[1:]
if match.group('c') == 'static':
application = match.group('a')
version, filename = None, match.group('z')
items = filename.split('/', 1)
if regex_version.match(items[0]):
version, filename = items
static_file = pjoin(request.env.applications_parent,
'applications', application,
'static', filename)
static_folder = pjoin(request.env.applications_parent,
'applications', application,'static')
static_file = os.path.abspath(pjoin(static_folder,filename))
if not static_file.startswith(static_folder):
invalid_url(routes)
return (static_file, version, environ)
else:
# ##################################################
@@ -653,12 +662,13 @@ def regex_url_in(request, environ):
request.function = match.group('f') or routes.default_function
request.raw_extension = match.group('e')
request.extension = request.raw_extension or 'html'
request.raw_args = match.group('s')
if request.application in routes.routes_apps_raw:
# application is responsible for parsing args
request.args = None
elif not regex_args.match(request.raw_args):
invalid_url(routes)
elif request.raw_args:
request.args = List(request.raw_args.split('/')[1:])
request.args = List(request.raw_args.split('/'))
else:
request.args = List([])
return (None, None, environ)
gluon/tests/test_routes.py
+4 -1
View File
@@ -105,13 +105,16 @@ class TestRoutes(unittest.TestCase):
self.assertEqual(filter_url(
'http://domain.com/abc/def/ghi/j%20kl'), "/abc/def/ghi ['j_kl']")
self.assertEqual(filter_url('http://domain.com/welcome/static/path/to/static'), "%s/applications/welcome/static/path/to/static" % root)
# no more necessary since explcit check for directory traversal attacks
"""
self.assertRaises(HTTP, filter_url, 'http://domain.com/welcome/static/bad/path/to/st~tic')
try:
# 2.7+ only
self.assertRaisesRegexp(HTTP, "400.*BAD REQUEST \[invalid path\]", filter_url, 'http://domain.com/welcome/static/bad/path/to/st~tic')
except AttributeError:
pass
# outgoing
"""
# outgoing
self.assertEqual(filter_url('http://domain.com/init/default/index',
out=True), '/init/default/index')
self.assertEqual(filter_url('http://domain.com/init/default/index/arg1', out=True), '/init/default/index/arg1')