If the base directory already ends with '/' the test failed.
It failed because we added an extra '/' to make sure that '/foobar' is
not under '/foo', so ask '/foobar/'.startswith('/foo/').
Whoever when we have the base already start with '/' we might test:
'/foo/bar/'.startwith('/foo//'), and give a false negative. We
shouldn't have this case, because we normalized the path, but in the
case of the root directory ('/') even a normalized path ends with '/',
and thus when base='/' this function failed.
Some re-factoring was needed to make this base testable.
This should have resolved security issue#1261 -- gluon.tools.Expose
symlinks, however it does not deal well with the case where the base
exposed directory is '/'
On the previous commit we changed text and subject from unicode
to str. After a better solution from @cassiobotaro, we're using
unicode again, selecting the encoding as the one passed via encoding
parameter.
On PR #964 @matclab forced the encoding of both subject and
text variables to unicode.
After merging it, matclab realized that when we send Unicode
text to the method it raises an exception and asked if he should
change the commit. Unfortunately this thing was kept untouched.
This problem exists because we previously encode the unicode variables
to utf-8 (for instance here https://github.com/web2py/web2py/blob/master/gluon/tools.py#L478-L481) and then force again to unicode. This piece of code shows what happens:
```
>>> a = u'áéí'
>>> a
u'\xe1\xe9\xed'
>>> b = a.encode('utf-8')
>>> b
'\xc3\xa1\xc3\xa9\xc3\xad'
>>> unicode(a)
u'\xe1\xe9\xed'
>>> unicode(b)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 0: ordinal not in range(128)
```
If we force to str, just like @matclab suggested, we solve this issue.
- if hmac.compare_digest is there, we should use it instead of our own
fallback.
- jwt handler has been updated to use utils.compare (reported in
#web2py-users)
- includes the same mods as https://github.com/web2py/web2py/pull/1146
mdipierro