Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
slapos
Commits
9353852c
Commit
9353852c
authored
Feb 12, 2021
by
Jérome Perrin
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
simplehttpserver: prevent overwriting files outside of document path
parent
bbae9095
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
14 additions
and
0 deletions
+14
-0
slapos/recipe/simplehttpserver/simplehttpserver.py
slapos/recipe/simplehttpserver/simplehttpserver.py
+3
-0
slapos/test/recipe/test_simplehttpserver.py
slapos/test/recipe/test_simplehttpserver.py
+11
-0
No files found.
slapos/recipe/simplehttpserver/simplehttpserver.py
View file @
9353852c
...
...
@@ -57,6 +57,9 @@ class ServerHandler(SimpleHTTPRequestHandler):
def
writeFile
(
self
,
filename
,
content
,
method
=
'ab'
):
file_path
=
os
.
path
.
abspath
(
os
.
path
.
join
(
self
.
document_path
,
filename
))
if
not
file_path
.
startswith
(
self
.
document_path
):
self
.
respond
(
403
,
'text/plain'
)
self
.
wfile
.
write
(
b"Forbidden"
)
try
:
os
.
makedirs
(
os
.
path
.
dirname
(
file_path
))
...
...
slapos/test/recipe/test_simplehttpserver.py
View file @
9353852c
...
...
@@ -87,3 +87,14 @@ class SimpleHTTPServerTest(unittest.TestCase):
self
.
assertIn
(
'hello.txt'
,
requests
.
get
(
server_base_url
).
text
)
self
.
assertEqual
(
requests
.
get
(
server_base_url
+
'/hello.txt'
).
text
,
'hello'
)
# incorrect paths are refused
for
path
in
'/hello.txt'
,
'../hello.txt'
:
resp
=
requests
.
post
(
server_base_url
,
files
=
{
'path'
:
path
,
'content'
:
b'hello'
,
},
)
self
.
assertEqual
(
resp
.
status_code
,
requests
.
codes
.
forbidden
)
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment