diff options
author | ianb <devnull@localhost> | 2006-12-18 00:28:21 +0000 |
---|---|---|
committer | ianb <devnull@localhost> | 2006-12-18 00:28:21 +0000 |
commit | 7c0b1546341ae5761701c4d667cbb6e87327ba19 (patch) | |
tree | ed070f240b8a249e2e407eecb1993ed558a58682 /paste/urlparser.py | |
parent | 165668aae8890fba08a5b40a83a814e4c74bf659 (diff) | |
download | paste-7c0b1546341ae5761701c4d667cbb6e87327ba19.tar.gz |
Security fix for StaticURLParser, plus unquote SCRIPT_NAME and PATH_INFO, plus don't double-unquote in StaticURLParser
Diffstat (limited to 'paste/urlparser.py')
-rw-r--r-- | paste/urlparser.py | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/paste/urlparser.py b/paste/urlparser.py index 6aa5105..1e27a05 100644 --- a/paste/urlparser.py +++ b/paste/urlparser.py @@ -7,7 +7,6 @@ WSGI applications that parse the URL and dispatch to on-disk resources import os import sys import imp -import urllib import pkg_resources import mimetypes from paste import request @@ -203,8 +202,7 @@ class URLParser(object): # None of the index files found filename = None else: - # Handle quoted chars (e.g. %20) - filename = self.find_file(environ, urllib.unquote(name)) + filename = self.find_file(environ, name) if filename is None: return None, filename else: @@ -435,6 +433,8 @@ class StaticURLParser(object): self.root_directory = root_directory if root_directory is not None: self.root_directory = os.path.normpath(self.root_directory) + else: + self.root_directory = directory self.cache_max_age = cache_max_age def __call__(self, environ, start_response): @@ -445,8 +445,7 @@ class StaticURLParser(object): # @@: This should obviously be configurable filename = 'index.html' else: - # Handle quoted chars (e.g. %20) - filename = urllib.unquote(request.path_info_pop(environ)) + filename = request.path_info_pop(environ) full = os.path.normpath(os.path.join(self.directory, filename)) if self.root_directory is not None and not full.startswith(self.root_directory): # Out of bounds @@ -550,8 +549,7 @@ class PkgResourcesParser(StaticURLParser): # @@: This should obviously be configurable filename = 'index.html' else: - # Handle quoted chars (e.g. %20) - filename = urllib.unquote(request.path_info_pop(environ)) + filename = request.path_info_pop(environ) resource = os.path.normpath(self.resource_name + '/' + filename) if self.root_resource is not None and not resource.startswith(self.root_resource): # Out of bounds |