diff options
| author | Aldo Cortesi <aldo@nullcube.com> | 2012-07-22 23:46:56 +1200 |
|---|---|---|
| committer | Aldo Cortesi <aldo@nullcube.com> | 2012-07-22 23:46:56 +1200 |
| commit | 96db3557ce88cd6f4993a1c090d0d717b34db57e (patch) | |
| tree | eda74e647026215f678627cb9c6bf5777bc3490b | |
| parent | 1b03fd6780f69f1d1f460868d5592587cb0c9c50 (diff) | |
| download | mitmproxy-96db3557ce88cd6f4993a1c090d0d717b34db57e.tar.gz mitmproxy-96db3557ce88cd6f4993a1c090d0d717b34db57e.tar.bz2 mitmproxy-96db3557ce88cd6f4993a1c090d0d717b34db57e.zip | |
Constrain file access to configured directory in pathod.
| -rw-r--r-- | libpathod/rparse.py | 16 | ||||
| -rw-r--r-- | test/test_rparse.py | 6 |
2 files changed, 15 insertions, 7 deletions
diff --git a/libpathod/rparse.py b/libpathod/rparse.py index bcbd01f9..810fefc0 100644 --- a/libpathod/rparse.py +++ b/libpathod/rparse.py @@ -243,13 +243,19 @@ class ValueFile: return e.setParseAction(lambda x: klass(*x)) def get_generator(self, settings): + uf = settings.get("unconstrained_file_access") sd = settings.get("staticdir") if not sd: - raise ServerError("No static directory specified.") - path = os.path.join(sd, self.path) - if not os.path.exists(path): - raise ServerError("Static file does not exist: %s"%path) - return FileGenerator(path) + raise ServerError("File access disabled.") + sd = os.path.normpath(os.path.abspath(sd)) + + s = os.path.expanduser(self.path) + s = os.path.normpath(os.path.abspath(os.path.join(sd, s))) + if not uf and not s.startswith(sd): + raise ServerError("File access outside of configured directory") + if not os.path.isfile(s): + raise ServerError("File not readable") + return FileGenerator(s) def __str__(self): return "<%s"%(self.path) diff --git a/test/test_rparse.py b/test/test_rparse.py index f3dc7367..23c9b3e6 100644 --- a/test/test_rparse.py +++ b/test/test_rparse.py @@ -70,7 +70,10 @@ class TestMisc: v = rparse.Value.parseString("<path2")[0] tutils.raises(rparse.ServerError, v.get_generator, dict(staticdir=t)) - tutils.raises("no static directory", v.get_generator, dict()) + tutils.raises("access disabled", v.get_generator, dict()) + + v = rparse.Value.parseString("</outside")[0] + tutils.raises("outside", v.get_generator, dict(staticdir=t)) def test_generated_value(self): v = rparse.Value.parseString("@10b")[0] @@ -431,7 +434,6 @@ class TestResponse: testlen(rparse.parse_response({}, "400'msg':h'foo'='bar':b@100b")) - def test_read_file(): tutils.raises(rparse.FileAccessDenied, rparse.read_file, {}, "=/foo") p = tutils.test_data.path("data") |