Mercurial > p > roundup > code
comparison roundup/cgi/templating.py @ 5145:d22eb1d40d0e
issue2550701, issue2550891 deal with path traversal issue in TAL based template finding code. Use standard method.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 14 Jul 2016 18:33:37 -0400 |
| parents | 8901cc4ef0e0 |
| children | 153833fe124f |
comparison
equal
deleted
inserted
replaced
| 5144:de275ca660c5 | 5145:d22eb1d40d0e |
|---|---|
| 18 """ | 18 """ |
| 19 | 19 |
| 20 __docformat__ = 'restructuredtext' | 20 __docformat__ = 'restructuredtext' |
| 21 | 21 |
| 22 | 22 |
| 23 import cgi, urllib, re, os.path, mimetypes, csv | 23 import cgi, urllib, re, os.path, mimetypes, csv, string |
| 24 import calendar | 24 import calendar |
| 25 import textwrap | 25 import textwrap |
| 26 | 26 |
| 27 from roundup import hyperdb, date, support | 27 from roundup import hyperdb, date, support |
| 28 from roundup import i18n | 28 from roundup import i18n |
| 114 self.dir = dir | 114 self.dir = dir |
| 115 | 115 |
| 116 def _find(self, name): | 116 def _find(self, name): |
| 117 """ Find template, return full path and filename of the | 117 """ Find template, return full path and filename of the |
| 118 template if it is found, None otherwise.""" | 118 template if it is found, None otherwise.""" |
| 119 realsrc = os.path.realpath(self.dir) | |
| 119 for extension in ['', '.html', '.xml']: | 120 for extension in ['', '.html', '.xml']: |
| 120 f = name + extension | 121 f = name + extension |
| 121 src = os.path.join(self.dir, f) | 122 src = os.path.join(realsrc, f) |
| 123 realpath = os.path.realpath(src) | |
| 124 print f, src, realpath, realsrc | |
| 125 if string.find(realpath, realsrc) != 0: | |
| 126 return # will raise invalid template | |
| 122 if os.path.exists(src): | 127 if os.path.exists(src): |
| 123 return (src, f) | 128 return (src, f) |
| 124 | 129 |
| 125 def check(self, name): | 130 def check(self, name): |
| 126 return bool(self._find(name)) | 131 return bool(self._find(name)) |