You are viewing a plain text version of this content. The canonical link for it is here.

Posted to mod_python-dev@quetz.apache.org by "Graham Dumpleton (JIRA)" <ji...@apache.org> on 2005/02/26 08:16:48 UTC

[jira] Created: (MODPYTHON-23) mod_python.publisher default index file traversal

mod_python.publisher default index file traversal
-------------------------------------------------

         Key: MODPYTHON-23
         URL: http://issues.apache.org/jira/browse/MODPYTHON-23
     Project: mod_python
        Type: Bug
    Versions: 3.1.4    
    Reporter: Graham Dumpleton


If one has an "index.py" file and one is using:

  SetHandler mod_python
  PythonHandler mod_python.publisher

with the "index.py" file containing:

  class MyObject:
    def method(self):
      return "MyObject.method()"
    def __str__(self):
      return "MyObject.__str__()"

  myobject = MyObject()

One can access the method of the class instance as:

  /index/myobject/method

and the object itself as:

  /index/myobject

One can also leave out "index" in the latter and just say:

  /myobject

and it will still work. If one however says:

  /myobject/method

it doesn't work.

In summary, when using fallback mechanism onto "index.py", traversal
into any object does not work.

To fix this a few changes would be needed in publisher.py. First off change:

        # try again, using default module, perhaps this is a 
        # /directory/function (as opposed to /directory/module/function)
        func_path = module_name
        module_name = "index"

to:

        # try again, using default module, perhaps this is a 
        # /directory/function (as opposed to /directory/module/function)
        #func_path = module_name
        if func_path:
            func_path = module_name + '.' + func_path
        else:
            func_path = module_name
        module_name = "index"

One then must move the code:

    # default to 'index' if no path_info was given
    if not func_path:  
        func_path = "index"

This should be relocated to after the module is imported. Ie., just before:

    # does it have an __auth__?

One also needs to change:

    # if any part of the path begins with "_", abort
    if func_path[0] == '_' or func_path.count("._"):
        raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND

to:

    # if any part of the path begins with "_", abort
    if func_path[:1] == '_' or func_path.count("._"):
        raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND

This is needed because the movement of the setting to func_path to "index"
means that func_path may not be set at that point. Thus use "[:1]" to cope
with that, or nest it in an "if" statement such as:

    # if any part of the path begins with "_", abort
    if func_path and (func_path[0] == '_' or func_path.count("._")):
        raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND

Note that actual changes given above untested on publisher.py itself.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira

[jira] Closed: (MODPYTHON-23) mod_python.publisher default index file traversal

Posted by "Graham Dumpleton (JIRA)" <ji...@apache.org>.

     [ http://issues.apache.org/jira/browse/MODPYTHON-23?page=all ]
     
Graham Dumpleton closed MODPYTHON-23:
-------------------------------------


> mod_python.publisher default index file traversal
> -------------------------------------------------
>
>          Key: MODPYTHON-23
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-23
>      Project: mod_python
>         Type: Bug
>     Versions: 3.1.4
>     Reporter: Graham Dumpleton
>     Assignee: Nicolas Lehuen
>      Fix For: 3.2.7

>
> If one has an "index.py" file and one is using:
>   SetHandler mod_python
>   PythonHandler mod_python.publisher
> with the "index.py" file containing:
>   class MyObject:
>     def method(self):
>       return "MyObject.method()"
>     def __str__(self):
>       return "MyObject.__str__()"
>   myobject = MyObject()
> One can access the method of the class instance as:
>   /index/myobject/method
> and the object itself as:
>   /index/myobject
> One can also leave out "index" in the latter and just say:
>   /myobject
> and it will still work. If one however says:
>   /myobject/method
> it doesn't work.
> In summary, when using fallback mechanism onto "index.py", traversal
> into any object does not work.
> To fix this a few changes would be needed in publisher.py. First off change:
>         # try again, using default module, perhaps this is a 
>         # /directory/function (as opposed to /directory/module/function)
>         func_path = module_name
>         module_name = "index"
> to:
>         # try again, using default module, perhaps this is a 
>         # /directory/function (as opposed to /directory/module/function)
>         #func_path = module_name
>         if func_path:
>             func_path = module_name + '.' + func_path
>         else:
>             func_path = module_name
>         module_name = "index"
> One then must move the code:
>     # default to 'index' if no path_info was given
>     if not func_path:  
>         func_path = "index"
> This should be relocated to after the module is imported. Ie., just before:
>     # does it have an __auth__?
> One also needs to change:
>     # if any part of the path begins with "_", abort
>     if func_path[0] == '_' or func_path.count("._"):
>         raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
> to:
>     # if any part of the path begins with "_", abort
>     if func_path[:1] == '_' or func_path.count("._"):
>         raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
> This is needed because the movement of the setting to func_path to "index"
> means that func_path may not be set at that point. Thus use "[:1]" to cope
> with that, or nest it in an "if" statement such as:
>     # if any part of the path begins with "_", abort
>     if func_path and (func_path[0] == '_' or func_path.count("._")):
>         raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
> Note that actual changes given above untested on publisher.py itself.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Resolved: (MODPYTHON-23) mod_python.publisher default index file traversal

Posted by "Nicolas Lehuen (JIRA)" <ji...@apache.org>.

     [ http://issues.apache.org/jira/browse/MODPYTHON-23?page=all ]
     
Nicolas Lehuen resolved MODPYTHON-23:
-------------------------------------

      Assign To: Nicolas Lehuen
     Resolution: Fixed
    Fix Version: 3.2.0

Fixed along with MODPYTHON-9.

> mod_python.publisher default index file traversal
> -------------------------------------------------
>
>          Key: MODPYTHON-23
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-23
>      Project: mod_python
>         Type: Bug
>     Versions: 3.1.4
>     Reporter: Graham Dumpleton
>     Assignee: Nicolas Lehuen
>      Fix For: 3.2.0

>
> If one has an "index.py" file and one is using:
>   SetHandler mod_python
>   PythonHandler mod_python.publisher
> with the "index.py" file containing:
>   class MyObject:
>     def method(self):
>       return "MyObject.method()"
>     def __str__(self):
>       return "MyObject.__str__()"
>   myobject = MyObject()
> One can access the method of the class instance as:
>   /index/myobject/method
> and the object itself as:
>   /index/myobject
> One can also leave out "index" in the latter and just say:
>   /myobject
> and it will still work. If one however says:
>   /myobject/method
> it doesn't work.
> In summary, when using fallback mechanism onto "index.py", traversal
> into any object does not work.
> To fix this a few changes would be needed in publisher.py. First off change:
>         # try again, using default module, perhaps this is a 
>         # /directory/function (as opposed to /directory/module/function)
>         func_path = module_name
>         module_name = "index"
> to:
>         # try again, using default module, perhaps this is a 
>         # /directory/function (as opposed to /directory/module/function)
>         #func_path = module_name
>         if func_path:
>             func_path = module_name + '.' + func_path
>         else:
>             func_path = module_name
>         module_name = "index"
> One then must move the code:
>     # default to 'index' if no path_info was given
>     if not func_path:  
>         func_path = "index"
> This should be relocated to after the module is imported. Ie., just before:
>     # does it have an __auth__?
> One also needs to change:
>     # if any part of the path begins with "_", abort
>     if func_path[0] == '_' or func_path.count("._"):
>         raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
> to:
>     # if any part of the path begins with "_", abort
>     if func_path[:1] == '_' or func_path.count("._"):
>         raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
> This is needed because the movement of the setting to func_path to "index"
> means that func_path may not be set at that point. Thus use "[:1]" to cope
> with that, or nest it in an "if" statement such as:
>     # if any part of the path begins with "_", abort
>     if func_path and (func_path[0] == '_' or func_path.count("._")):
>         raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
> Note that actual changes given above untested on publisher.py itself.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira