climate-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jo...@apache.org
Subject svn commit: r1482546 - /incubator/climate/trunk/rcmet/src/main/python/rcmes/services/directory_helpers.py
Date Tue, 14 May 2013 20:07:52 GMT
Author: joyce
Date: Tue May 14 20:07:51 2013
New Revision: 1482546

URL: http://svn.apache.org/r1482546
Log:
Resolves CLIMATE-14. Prevent users from listing arbitrary directories.

- Adds a prefix to all queried paths to forces the user to remain in a
  desired directory.
- Strips out "/../" from the passed path to prevent moving to an
  undesired directory.

Modified:
    incubator/climate/trunk/rcmet/src/main/python/rcmes/services/directory_helpers.py

Modified: incubator/climate/trunk/rcmet/src/main/python/rcmes/services/directory_helpers.py
URL: http://svn.apache.org/viewvc/incubator/climate/trunk/rcmet/src/main/python/rcmes/services/directory_helpers.py?rev=1482546&r1=1482545&r2=1482546&view=diff
==============================================================================
--- incubator/climate/trunk/rcmet/src/main/python/rcmes/services/directory_helpers.py (original)
+++ incubator/climate/trunk/rcmet/src/main/python/rcmes/services/directory_helpers.py Tue
May 14 20:07:51 2013
@@ -7,16 +7,22 @@ from bottle import request, route
 import os
 import json
 
+PATH_LEADER = "/usr/local/rcmes"
+
 @route('/getDirInfo/<dirPath:path>')
 def getDirectoryInfo(dirPath):
+    dirPath = PATH_LEADER + dirPath
+    dirPath = dirPath.replace('/../', '/')
+    dirPath = dirPath.replace('/./', '/')
+
     if os.path.isdir(dirPath):
         listing = os.listdir(dirPath)
         listingNoHidden = [f for f in listing if f[0] != '.']
         joinedPaths = [os.path.join(dirPath, f) for f in listingNoHidden]
         joinedPaths = [f + "/" if os.path.isdir(f) else f for f in joinedPaths]
-        sorted(joinedPaths, key=lambda s: s.lower())
-        returnJSON = joinedPaths
-
+        finalPaths = [p.replace(PATH_LEADER, '') for p in joinedPaths]
+        sorted(finalPaths, key=lambda s: s.lower())
+        returnJSON = finalPaths
     else:
         returnJSON = []
 



Mime
View raw message