quetz-mod_python-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nicolas Lehuen (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (MODPYTHON-23) mod_python.publisher default index file traversal
Date Sat, 30 Apr 2005 07:04:04 GMT
     [ http://issues.apache.org/jira/browse/MODPYTHON-23?page=all ]
     
Nicolas Lehuen resolved MODPYTHON-23:
-------------------------------------

      Assign To: Nicolas Lehuen
     Resolution: Fixed
    Fix Version: 3.2.0

Fixed along with MODPYTHON-9.

> mod_python.publisher default index file traversal
> -------------------------------------------------
>
>          Key: MODPYTHON-23
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-23
>      Project: mod_python
>         Type: Bug
>     Versions: 3.1.4
>     Reporter: Graham Dumpleton
>     Assignee: Nicolas Lehuen
>      Fix For: 3.2.0

>
> If one has an "index.py" file and one is using:
>   SetHandler mod_python
>   PythonHandler mod_python.publisher
> with the "index.py" file containing:
>   class MyObject:
>     def method(self):
>       return "MyObject.method()"
>     def __str__(self):
>       return "MyObject.__str__()"
>   myobject = MyObject()
> One can access the method of the class instance as:
>   /index/myobject/method
> and the object itself as:
>   /index/myobject
> One can also leave out "index" in the latter and just say:
>   /myobject
> and it will still work. If one however says:
>   /myobject/method
> it doesn't work.
> In summary, when using fallback mechanism onto "index.py", traversal
> into any object does not work.
> To fix this a few changes would be needed in publisher.py. First off change:
>         # try again, using default module, perhaps this is a 
>         # /directory/function (as opposed to /directory/module/function)
>         func_path = module_name
>         module_name = "index"
> to:
>         # try again, using default module, perhaps this is a 
>         # /directory/function (as opposed to /directory/module/function)
>         #func_path = module_name
>         if func_path:
>             func_path = module_name + '.' + func_path
>         else:
>             func_path = module_name
>         module_name = "index"
> One then must move the code:
>     # default to 'index' if no path_info was given
>     if not func_path:  
>         func_path = "index"
> This should be relocated to after the module is imported. Ie., just before:
>     # does it have an __auth__?
> One also needs to change:
>     # if any part of the path begins with "_", abort
>     if func_path[0] == '_' or func_path.count("._"):
>         raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
> to:
>     # if any part of the path begins with "_", abort
>     if func_path[:1] == '_' or func_path.count("._"):
>         raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
> This is needed because the movement of the setting to func_path to "index"
> means that func_path may not be set at that point. Thus use "[:1]" to cope
> with that, or nest it in an "if" statement such as:
>     # if any part of the path begins with "_", abort
>     if func_path and (func_path[0] == '_' or func_path.count("._")):
>         raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
> Note that actual changes given above untested on publisher.py itself.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message