Changeset 756:8745488a7e28 in hatta-dev


Ignore:
Timestamp:
02/10/10 21:36:13 (2 years ago)
Author:
sheep@…
Branch:
default
Message:

make sure to escape Windows special filenames and unix dotfiles

Files:
2 edited

Legend:

Unmodified
Added
Removed

  • hatta.py

    r755 r756  
    383383        return path 
    384384 
    385  
    386385    def _check_path(self, path): 
    387386        """ 
     
    391390        abspath = os.path.abspath(path) 
    392391        if os.path.islink(path) or os.path.isdir(path): 
    393             raise werkzeug.exceptions.Forbidden(_(u"Can't use symbolic links or directories as pages")) 
     392            raise werkzeug.exceptions.Forbidden( 
     393                _(u"Can't use symbolic links or directories as pages")) 
    394394        if not abspath.startswith(self.path): 
    395             raise werkzeug.exceptions.Forbidden(_(u"Can't read or write outside of the pages repository")) 
    396  
     395            raise werkzeug.exceptions.Forbidden( 
     396                _(u"Can't read or write outside of the pages repository")) 
    397397 
    398398    def _file_path(self, title): 
     
    401401    def _title_to_file(self, title): 
    402402        title = unicode(title).strip() 
    403         return os.path.join(self.repo_prefix, 
    404                             werkzeug.url_quote(title, safe='')) 
    405  
    406     def _file_to_title(self, filename): 
    407         assert filename.startswith(self.repo_prefix) 
    408         name = filename[len(self.repo_prefix):].strip('/') 
     403        filename = werkzeug.url_quote(title, safe='') 
     404        # Escape special windows filenames and dot files 
     405        _windows_device_files = ('CON', 'AUX', 'COM1', 'COM2', 'COM3', 
     406                                 'COM4', 'LPT1', 'LPT2', 'LPT3', 'PRN', 
     407                                 'NUL') 
     408        if (filename.split('.')[0].upper() in _windows_device_files or 
     409            filename.startswith('_') or filename.startswith('.')): 
     410            filename = '_' + filename 
     411        return os.path.join(self.repo_prefix, filename) 
     412 
     413    def _file_to_title(self, filepath): 
     414        if not filepath.startswith(self.repo_prefix): 
     415            raise werkzeug.exceptions.Forbidden( 
     416                _(u"Can't read or write outside of the pages repository")) 
     417        name = filepath[len(self.repo_prefix):].strip('/') 
     418        # Unescape special windows filenames and dot files 
     419        if name.startswith('_') and len(name)>1: 
     420            name = name[1:] 
    409421        return werkzeug.url_unquote(name) 
    410422 

  • tests/test_repo.py

    r750 r756  
    155155 
    156156        title = u'../some/+s page/ąęść?.txt' 
    157         filename = '..%2Fsome%2F%2Bs%20page%2F%C4%85%C4%99%C5%9B%C4%87%3F.txt' 
     157        filename = '_..%2Fsome%2F%2Bs%20page%2F%C4%85%C4%99%C5%9B%C4%87%3F.txt' 
    158158        filepath = os.path.join(repo.path, filename) 
    159159        repo.save_text(title, self.text, self.author, self.comment, parent=-1) 
Note: See TracChangeset for help on using the changeset viewer.