allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From brond...@apache.org
Subject [2/2] allura git commit: [#8180] Check static file urls
Date Thu, 01 Feb 2018 15:50:11 GMT
[#8180] Check static file urls


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/2f2f6d08
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/2f2f6d08
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/2f2f6d08

Branch: refs/heads/master
Commit: 2f2f6d08c59074070eb7537ab198afbf9d7b339d
Parents: e7aa4c2
Author: Dave Brondsema <dave@brondsema.net>
Authored: Mon Jan 29 11:29:28 2018 -0500
Committer: Dave Brondsema <dave@brondsema.net>
Committed: Thu Feb 1 10:47:48 2018 -0500

----------------------------------------------------------------------
 Allura/allura/lib/custom_middleware.py        |  2 ++
 Allura/allura/tests/functional/test_static.py | 11 +++++++++++
 2 files changed, 13 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/2f2f6d08/Allura/allura/lib/custom_middleware.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index fce19e5..01e58e1 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -66,6 +66,8 @@ class StaticFilesMiddleware(object):
             return exc.HTTPNotFound()(environ, start_response)
 
     def get_app(self, environ):
+        if '..' in environ['PATH_INFO']:
+            raise OSError
         for prefix, ep in self.directories:
             if environ['PATH_INFO'].startswith(prefix):
                 filename = environ['PATH_INFO'][len(prefix):]

http://git-wip-us.apache.org/repos/asf/allura/blob/2f2f6d08/Allura/allura/tests/functional/test_static.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_static.py b/Allura/allura/tests/functional/test_static.py
index 49e9295..6d66d33 100644
--- a/Allura/allura/tests/functional/test_static.py
+++ b/Allura/allura/tests/functional/test_static.py
@@ -21,6 +21,17 @@ from allura.tests import TestController
 class TestStatic(TestController):
 
     def test_static_controller(self):
+        # package directory
         self.app.get('/nf/_static_/wiki/js/browse.js')
         self.app.get('/nf/_static_/wiki/js/no_such_file.js', status=404)
         self.app.get('/nf/_static_/no_such_tool/js/comments.js', status=404)
+        # main allura resource
+        self.app.get('/nf/_static_/images/user.png')
+
+    def test_path_traversal(self):
+        # package directory
+        self.app.get('/nf/_static_/wiki/../../../setup.py', status=404)
+        self.app.get('/nf/_static_/wiki/..%2F..%2F..%2Fsetup.py', status=404)
+        self.app.get('/nf/_static_/wiki/.%2E/.%2E/.%2E/setup.py', status=404)
+        # main allura resource
+        self.app.get('/nf/_static_/../../../setup.py', status=404)


Mime
View raw message