Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate full file path in the static file handler #383

Merged
merged 6 commits into from
May 30, 2015
Merged

Validate full file path in the static file handler #383

merged 6 commits into from
May 30, 2015

Conversation

magv
Copy link
Contributor

@magv magv commented May 28, 2015

Hopefully prevent directory traversal attacks; as discussed in issue #380.

@asvetlov
Copy link
Member

The code looks good on first glance but I cannot accept it without tests.

Please push test code after functional tests for static file handling (https://github.com/KeepSafe/aiohttp/blob/master/tests/test_web_functional.py#L263-347)

@magv
Copy link
Contributor Author

magv commented May 29, 2015

It turns out that requiring tests is a great policy, because my first patch had an embarassing error in it: filename was used instead of filepath in one critical place, thus making StaticRoute forbid all filenames, except for those that are absolute paths...

Interestingly enough, the current static file tests would not have caught that error, because they all use absolute paths in the request URLs -- for example, on this line filename is set to the absolute path, and then over here url is set to "/static/" plus that absolute path.

I think that was not intended, so I changed those test and made them use short paths in the URLs (the tests still pass).

asvetlov
asvetlov reviewed May 30, 2015
View reviewed changes
aiohttp/web_urldispatcher.py
@@ -149,7 +149,7 @@ def __init__(self, name, prefix, directory, *,
'GET', self.handle, name, expect_handler=expect_handler)
self._prefix = prefix
self._prefix_len = len(self._prefix)
self._directory = directory
self._directory = os.path.abspath(directory) + os.sep
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add check for directory like https://github.com/KeepSafe/aiohttp/blob/master/aiohttp/web_urldispatcher.py#L397
I guess to change exception from AssertionError to ValueError.

@asvetlov
Copy link
Member

I think that was not intended, so I changed those test and made them use short paths in the URLs (the tests still pass).

Agree.

@magv
Copy link
Contributor Author

magv commented May 30, 2015

Like this?

@asvetlov
Copy link
Member

Perfect! But you forgot to add unttest for that...

@magv
Copy link
Contributor Author

magv commented May 30, 2015

I'm not really sure where to put it though. Is this OK?

asvetlov added a commit that referenced this pull request May 30, 2015
@asvetlov
Merge pull request #383 from magv/master
d9fdf55 
Validate full file path in the static file handler
@asvetlov asvetlov merged commit d9fdf55 into aio-libs:master May 30, 2015
@asvetlov
Copy link
Member

Yes

@asvetlov
Copy link
Member

Thanks!

@asvetlov asvetlov mentioned this pull request May 30, 2015
Closed
@lock
Copy link

lock bot commented Oct 30, 2019

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.

@lock lock bot added the outdated label Oct 30, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Oct 30, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
outdated
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@magv @asvetlov