[SCM] build.samba.org - branch master updated

Matthieu Patou mat at samba.org
Wed Nov 10 15:00:54 MST 2010 

The branch, master has been updated
       via  94ae43a Serve in standalone mode only files that are local the current folder
      from  4db119b We no longer have CVS-based projects, and should not introduce any newer; remove cvslog.pl.

http://gitweb.samba.org/?p=build-farm.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 94ae43ae63388a10385e4d07f66cd8f15a36d38a
Author: Matthieu Patou <mat at matws.net>
Date:   Thu Nov 11 01:00:40 2010 +0300

    Serve in standalone mode only files that are local the current folder
    
    This should avoid security problem

-----------------------------------------------------------------------

Summary of changes:
 web/build.py |   25 +++++++++++++------------
 1 files changed, 13 insertions(+), 12 deletions(-)


Changeset truncated at 500 lines:

diff --git a/web/build.py b/web/build.py
index 67546a9..5c342ea 100755
--- a/web/build.py
+++ b/web/build.py
@@ -912,18 +912,19 @@ def buildApp(environ, start_response):
 
     if standalone and environ['PATH_INFO']:
         dir = os.path.join(os.path.dirname(__file__))
-        static_file = "%s/%s" % (dir, environ['PATH_INFO'])
-        if os.path.exists(static_file):
-            tab = environ['PATH_INFO'].split('.')
-            if len(tab) > 1:
-                extension = tab[-1]
-                import mimetypes
-                mimetypes.init()
-                type = mimetypes.types_map[".%s" % extension]
-                start_response('200 OK', [('Content-type', type)])
-                data = open(static_file, 'rb').read()
-                yield data
-                return
+        if re.match("^/[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)?", environ['PATH_INFO']):
+            static_file = "%s/%s" % (dir, environ['PATH_INFO'])
+            if os.path.exists(static_file):
+                tab = environ['PATH_INFO'].split('.')
+                if len(tab) > 1:
+                    extension = tab[-1]
+                    import mimetypes
+                    mimetypes.init()
+                    type = mimetypes.types_map[".%s" % extension]
+                    start_response('200 OK', [('Content-type', type)])
+                    data = open(static_file, 'rb').read()
+                    yield data
+                    return
 
     if fn_name == 'text_diff':
         start_response('200 OK', [('Content-type', 'application/x-diff')])


-- 
build.samba.org

More information about the samba-cvs mailing list