The branch, master has been updated via 94ae43a Serve in standalone mode only files that are local the current folder from 4db119b We no longer have CVS-based projects, and should not introduce any newer; remove cvslog.pl.
http://gitweb.samba.org/?p=build-farm.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 94ae43ae63388a10385e4d07f66cd8f15a36d38a Author: Matthieu Patou <m...@matws.net> Date: Thu Nov 11 01:00:40 2010 +0300 Serve in standalone mode only files that are local the current folder This should avoid security problem ----------------------------------------------------------------------- Summary of changes: web/build.py | 25 +++++++++++++------------ 1 files changed, 13 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/web/build.py b/web/build.py index 67546a9..5c342ea 100755 --- a/web/build.py +++ b/web/build.py @@ -912,18 +912,19 @@ def buildApp(environ, start_response): if standalone and environ['PATH_INFO']: dir = os.path.join(os.path.dirname(__file__)) - static_file = "%s/%s" % (dir, environ['PATH_INFO']) - if os.path.exists(static_file): - tab = environ['PATH_INFO'].split('.') - if len(tab) > 1: - extension = tab[-1] - import mimetypes - mimetypes.init() - type = mimetypes.types_map[".%s" % extension] - start_response('200 OK', [('Content-type', type)]) - data = open(static_file, 'rb').read() - yield data - return + if re.match("^/[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)?", environ['PATH_INFO']): + static_file = "%s/%s" % (dir, environ['PATH_INFO']) + if os.path.exists(static_file): + tab = environ['PATH_INFO'].split('.') + if len(tab) > 1: + extension = tab[-1] + import mimetypes + mimetypes.init() + type = mimetypes.types_map[".%s" % extension] + start_response('200 OK', [('Content-type', type)]) + data = open(static_file, 'rb').read() + yield data + return if fn_name == 'text_diff': start_response('200 OK', [('Content-type', 'application/x-diff')]) -- build.samba.org