[CalendarServer-changes] [3213] CalendarServer/trunk/lib-patches/Twisted/twisted.web2.dav.static. patch
source_changes at macosforge.org
source_changes at macosforge.org
Wed Oct 22 16:44:29 PDT 2008
Revision: 3213
http://trac.macosforge.org/projects/calendarserver/changeset/3213
Author: wsanchez at apple.com
Date: 2008-10-22 16:44:29 -0700 (Wed, 22 Oct 2008)
Log Message:
-----------
Catch twisted.python.filepath.InsecurePath properly
Modified Paths:
--------------
CalendarServer/trunk/lib-patches/Twisted/twisted.web2.dav.static.patch
Modified: CalendarServer/trunk/lib-patches/Twisted/twisted.web2.dav.static.patch
===================================================================
--- CalendarServer/trunk/lib-patches/Twisted/twisted.web2.dav.static.patch 2008-10-22 22:45:55 UTC (rev 3212)
+++ CalendarServer/trunk/lib-patches/Twisted/twisted.web2.dav.static.patch 2008-10-22 23:44:29 UTC (rev 3213)
@@ -2,13 +2,14 @@
===================================================================
--- twisted/web2/dav/static.py (revision 19773)
+++ twisted/web2/dav/static.py (working copy)
-@@ -28,16 +28,16 @@
+@@ -28,16 +28,17 @@
__all__ = ["DAVFile"]
-import os
-
+from twisted.internet.defer import succeed, deferredGenerator, waitForDeferred
++from twisted.python.filepath import InsecurePath
from twisted.python import log
-from twisted.internet.defer import succeed, deferredGenerator, waitForDeferred
-from twisted.web2.static import File
@@ -19,12 +20,12 @@
from twisted.web2.dav.resource import DAVResource, davPrivilegeSet
+from twisted.web2.dav.resource import TwistedGETContentMD5
from twisted.web2.dav.util import bindMethods
-+from twisted.web2.http import RedirectResponse
++from twisted.web2.http import HTTPError, StatusResponse, RedirectResponse
+from twisted.web2.static import File
try:
from twisted.web2.dav.xattrprops import xattrPropertyStore as DeadPropertyStore
-@@ -52,9 +52,11 @@
+@@ -52,9 +53,11 @@
Extends twisted.web2.static.File to handle WebDAV methods.
"""
@@ -39,7 +40,7 @@
"""
@param path: the path of the file backing this resource.
@param defaultType: the default mime type (as a string) for this
-@@ -62,11 +64,14 @@
+@@ -62,11 +65,14 @@
@param indexNames: a sequence of index file names.
@param acl: an L{IDAVAccessControlList} with the .
"""
@@ -59,7 +60,7 @@
def __repr__(self):
return "<%s: %s>" % (self.__class__.__name__, self.fp.path)
-@@ -75,6 +80,12 @@
+@@ -75,6 +81,12 @@
# WebDAV
##
@@ -72,7 +73,7 @@
def davComplianceClasses(self):
return ("1", "access-control") # Add "2" when we have locking
-@@ -87,7 +98,6 @@
+@@ -87,7 +99,6 @@
"""
See L{IDAVResource.isCollection}.
"""
@@ -80,7 +81,7 @@
return self.fp.isdir()
##
-@@ -98,6 +108,50 @@
+@@ -98,6 +109,50 @@
return succeed(davPrivilegeSet)
##
@@ -131,7 +132,22 @@
# Workarounds for issues with File
##
-@@ -132,7 +186,9 @@
+@@ -112,8 +167,12 @@
+ See L{IResource}C{.locateChild}.
+ """
+ # If getChild() finds a child resource, return it
+- child = self.getChild(segments[0])
+- if child is not None: return (child, segments[1:])
++ try:
++ child = self.getChild(segments[0])
++ if child is not None:
++ return (child, segments[1:])
++ except InsecurePath:
++ raise HTTPError(StatusResponse(responsecode.FORBIDDEN, "Invalid URL path"))
+
+ # If we're not backed by a directory, we have no children.
+ # But check for existance first; we might be a collection resource
+@@ -132,7 +191,9 @@
return (self.createSimilarFile(self.fp.child(path).path), segments[1:])
def createSimilarFile(self, path):
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20081022/2fe83864/attachment.html>
More information about the calendarserver-changes
mailing list