[Zope-Checkins] CVS: Zope3/lib/python/Zope/Server/VFS - OSFileSystem.py:1.1.2.3

Stephan Richter srichter@cbu.edu
Tue, 2 Apr 2002 13:13:06 -0500


Update of /cvs-repository/Zope3/lib/python/Zope/Server/VFS
In directory cvs.zope.org:/tmp/cvs-serv23618

Modified Files:
      Tag: Zope3-Server-Branch
	OSFileSystem.py 
Log Message:
Issue 48: Comment

Here is the first cut of writing tests. Right now it tests only 2 methods
so far, but I keep working on it.

But now it is lunch time!


=== Zope3/lib/python/Zope/Server/VFS/OSFileSystem.py 1.1.2.2 => 1.1.2.3 ===
 
     def normalize (self, path):
-            # watch for the ever-sneaky '/+' path element
+        # watch for the ever-sneaky '/+' path element
         path = re.sub('/+', '/', path)
-        p = self.path_module.normpath (path)
-        # remove 'dangling' cdup's.
-        if len(p) > 2 and p[:3] == '/..':
-            p = '/'
-        return p
+        # Someone is trying to get lower than the permitted root.
+        # We just ignore it. 
+        path = self.path_module.normpath(path)
+        if len(path) > 1 and path[:3] == '..':
+            path = '/'
+        elif len(path) > 2 and path[:3] == '../':
+            path = '/'
+        return path
 
         
     def translate (self, path):
         """We need to join together three separate path components,
-           and do it safely.  <real_root>/<current_directory>/<path>
+           and do it safely.  <real_root>/<path>
            use the operating system's path separator.
-        """        
-        path = os.sep.join('/'.split(path))
-        p = self.normalize(self.path_module.join(self.wd, path))
-        p = self.normalize(self.path_module.join(self.root, p[1:]))
-        return p
+
+           We need to be extremly careful to include the cases where a hacker
+           could attempt to a directory below root!
+        """
+        # Normalize the directory
+        path = os.sep.join(path.split('/'))
+        path = self.normalize(self.path_module.join(path))        
+        # Prepare for joining with root
+        if path[0] == '/':
+            path = path[1:]
+        # Join path with root
+        path = self.path_module.join(self.root, path)
+        return path
 
         
     def __repr__ (self):