Changeset 742:bc689845bdd9 in hatta-dev
Legend:
- Unmodified
- Added
- Removed
-
hatta.py
r740 r742 306 306 307 307 self.charset = charset or 'utf-8' 308 self.path = path308 self.path = os.path.abspath(path) 309 309 if not os.path.exists(self.path): 310 310 os.makedirs(self.path) … … 356 356 return path 357 357 358 359 def _check_path(self, path): 360 """ 361 Ensure that the path is within allowed bounds. 362 """ 363 364 abspath = os.path.abspath(path) 365 if os.path.islink(path) or os.path.isdir(path): 366 raise werkzeug.exceptions.Forbidden(_(u"Can't use symbolic links or directories as pages")) 367 if not abspath.startswith(self.path): 368 raise werkzeug.exceptions.Forbidden(_(u"Can't read or write outside of the pages repository")) 369 358 370 def _file_path(self, title): 359 371 title = unicode(title).strip() … … 413 425 repo_file = self._title_to_file(title) 414 426 file_path = self._file_path(title) 415 if os.path.islink(file_path) or os.path.isdir(file_path): 416 raise werkzeug.exceptions.Forbidden(_(u"Can't edit symbolic links or directories")) 427 self._check_path(file_path) 417 428 mercurial.util.rename(file_name, file_path) 418 429 changectx = self._changectx() … … 484 495 repo_file = self._title_to_file(title) 485 496 file_path = self._file_path(title) 486 if os.path.islink(file_path) or os.path.isdir(file_path): 487 raise werkzeug.exceptions.Forbidden(_(u"Can't edit symbolic links or directories")) 497 self._check_path(file_path) 488 498 try: 489 499 os.unlink(file_path) … … 497 507 498 508 file_path = self._file_path(title) 499 if os.path.islink(file_path) or os.path.isdir(file_path): 500 raise werkzeug.exceptions.Forbidden(_(u"Can't read symbolic links or directories")) 509 self._check_path(file_path) 501 510 try: 502 511 return open(file_path, "rb")
Note: See TracChangeset
for help on using the changeset viewer.
