You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@climate.apache.org by jo...@apache.org on 2014/02/02 00:57:08 UTC

svn commit: r1563516 - /incubator/climate/trunk/ocw-ui/backend/directory_helpers.py

Author: joyce
Date: Sat Feb  1 23:57:07 2014
New Revision: 1563516

URL: http://svn.apache.org/r1563516
Log:
CLIMATE-326 - clean_directory_path helper cleanup

- Add a regex to strip out duplicate slashes.
- Add check to ensure that created clean path is a valid directory.
- Remove the unneeded 'startswith' check and replace it with the simpler
  removal of a leading slash. This combined with the regex that removes
  any duplicate slashes means that this ensures no os.path.join trickery
  can occur even if a cheeky person sends dir_path as something like
  '//usr/local'. This works better since we should strip out any
  duplicate slashes to prevent accidental invalid directory creation
  anyway, so we might as well stick with the safety check that takes
  advantage of this.

Modified:
    incubator/climate/trunk/ocw-ui/backend/directory_helpers.py

Modified: incubator/climate/trunk/ocw-ui/backend/directory_helpers.py
URL: http://svn.apache.org/viewvc/incubator/climate/trunk/ocw-ui/backend/directory_helpers.py?rev=1563516&r1=1563515&r2=1563516&view=diff
==============================================================================
--- incubator/climate/trunk/ocw-ui/backend/directory_helpers.py (original)
+++ incubator/climate/trunk/ocw-ui/backend/directory_helpers.py Sat Feb  1 23:57:07 2014
@@ -115,19 +115,23 @@ def getPathLeader():
 
 def _get_clean_directory_path(path_leader, dir_path):
     ''''''
+    # Strip out any .. or . relative directories and remove duplicate slashes
     dir_path = re.sub('/\.\./|/\.\.|/\./|/\.', '/', dir_path)
+    dir_path = re.sub('//+', '/', dir_path)
 
     # Prevents the directory path from being a substring of the path leader.
     # os.path.join('/usr/local/rcmes', '/usr/local') gives '/usr/local'
-    # which could allow access to unacceptable paths.
-    if path_leader.startswith(dir_path):
+    # which could allow access to unacceptable paths. This also means that
+    if dir_path[0] == '/': dir_path = dir_path[1:]
+
+    os.path.join(path_leader, dir_path)
+    if not os.path.isdir(dir_path):
         cur_frame = sys._getframe().f_code
-        err = "{}.{}: Path leader {} cannot start with passed directory {}".format(
+        err = "{}.{}: Create path is not a valid directory {}".format(
             cur_frame.co_filename,
             cur_frame.co_name,
-            path_leader,
             dir_path
         )
         raise ValueError(err)
 
-    return os.path.join(path_leader, dir_path)
+    return dir_path