diff options
Diffstat (limited to 'libpathod')
| -rw-r--r-- | libpathod/pathoc.py | 16 | ||||
| -rw-r--r-- | libpathod/pathod.py | 5 | ||||
| -rw-r--r-- | libpathod/rparse.py | 29 | ||||
| -rw-r--r-- | libpathod/templates/docs_lang.html | 2 |
4 files changed, 47 insertions, 5 deletions
diff --git a/libpathod/pathoc.py b/libpathod/pathoc.py index 9970ffd9..3e5204c2 100644 --- a/libpathod/pathoc.py +++ b/libpathod/pathoc.py @@ -1,4 +1,4 @@ -import sys +import sys, os from netlib import tcp, http import rparse @@ -18,14 +18,19 @@ def print_full(fp, httpversion, code, msg, headers, content): class Pathoc(tcp.TCPClient): def __init__(self, host, port): tcp.TCPClient.__init__(self, host, port) + self.settings = dict( + staticdir = os.getcwd(), + unconstrained_file_access = True + ) def request(self, spec): """ Return an (httpversion, code, msg, headers, content) tuple. - May raise rparse.ParseException and netlib.http.HttpError. + May raise rparse.ParseException, netlib.http.HttpError or + rparse.FileAccessDenied. """ - r = rparse.parse_request({}, spec) + r = rparse.parse_request(self.settings, spec) ret = r.serve(self.wfile) self.wfile.flush() return http.read_response(self.rfile, r.method, None) @@ -37,7 +42,7 @@ class Pathoc(tcp.TCPClient): """ for i in reqs: try: - r = rparse.parse_request({}, i) + r = rparse.parse_request(self.settings, i) req = r.serve(self.wfile) if reqdump: print >> fp, "\n>>", req["method"], repr(req["path"]) @@ -52,6 +57,9 @@ class Pathoc(tcp.TCPClient): print >> fp, "Error parsing request spec: %s"%v.msg print >> fp, v.marked() return + except rparse.FileAccessDenied, v: + print >> fp, "File access error: %s"%v + return except http.HttpError, v: print >> fp, "<<", v.msg return diff --git a/libpathod/pathod.py b/libpathod/pathod.py index 9d155301..5180361b 100644 --- a/libpathod/pathod.py +++ b/libpathod/pathod.py @@ -71,6 +71,11 @@ class PathodHandler(tcp.BaseHandler): 800, "Error parsing response spec: %s\n"%v.msg + v.marked() ) + except rparse.FileAccessDenied: + crafted = rparse.InternalResponse( + 800, + "Access Denied" + ) request_log = dict( path = path, diff --git a/libpathod/rparse.py b/libpathod/rparse.py index 17e1ebd4..bcbd01f9 100644 --- a/libpathod/rparse.py +++ b/libpathod/rparse.py @@ -6,6 +6,8 @@ import utils BLOCKSIZE = 1024 TRUNCATE = 1024 +class FileAccessDenied(Exception): pass + class ParseException(Exception): def __init__(self, msg, s, col): Exception.__init__(self) @@ -675,7 +677,29 @@ class InternalResponse(Response): return d +FILESTART = "+" +def read_file(settings, s): + uf = settings.get("unconstrained_file_access") + sd = settings.get("staticdir") + if not sd: + raise FileAccessDenied("File access disabled.") + sd = os.path.normpath(os.path.abspath(sd)) + s = s[1:] + s = os.path.expanduser(s) + s = os.path.normpath(os.path.abspath(os.path.join(sd, s))) + if not uf and not s.startswith(sd): + raise FileAccessDenied("File access outside of configured directory") + if not os.path.isfile(s): + raise FileAccessDenied("File not readable") + return file(s, "r").read() + + def parse_response(settings, s): + """ + May raise ParseException or FileAccessDenied + """ + if s.startswith(FILESTART): + s = read_file(settings, s) try: return CraftedResponse(settings, s, Response.expr().parseString(s, parseAll=True)) except pp.ParseException, v: @@ -683,6 +707,11 @@ def parse_response(settings, s): def parse_request(settings, s): + """ + May raise ParseException or FileAccessDenied + """ + if s.startswith(FILESTART): + s = read_file(settings, s) try: return CraftedRequest(settings, s, Request.expr().parseString(s, parseAll=True)) except pp.ParseException, v: diff --git a/libpathod/templates/docs_lang.html b/libpathod/templates/docs_lang.html index 11a489b0..66b2ca30 100644 --- a/libpathod/templates/docs_lang.html +++ b/libpathod/templates/docs_lang.html @@ -109,7 +109,7 @@ <h1>Executing specs from file</h1> </div> - <pre class="example">=./path/to/spec</pre> + <pre class="example">+./path/to/spec</pre> <div class="page-header"> |