More db logging, db testcase, dont allow to request files from root db dir
This commit is contained in:
parent
10c6d4a7a3
commit
2491814070
3 changed files with 48 additions and 4 deletions
|
@ -16,9 +16,12 @@ class Db:
|
|||
|
||||
|
||||
def connect(self):
|
||||
self.log.debug("Connecting (sqlite version: %s)..." % sqlite3.version)
|
||||
self.log.debug("Connecting to %s (sqlite version: %s)..." % (self.db_path, sqlite3.version))
|
||||
if not os.path.isdir(self.db_dir): # Directory not exits yet
|
||||
os.makedirs(self.db_dir)
|
||||
self.log.debug("Created Db path: %s" % self.db_dir)
|
||||
if not os.path.isfile(self.db_path):
|
||||
self.log.debug("Db file not exits yet: %s" % self.db_path)
|
||||
self.conn = sqlite3.connect(self.db_path)
|
||||
self.conn.row_factory = sqlite3.Row
|
||||
self.conn.isolation_level = None
|
||||
|
|
|
@ -12,8 +12,8 @@ class TestCase(unittest.TestCase):
|
|||
except Exception, err:
|
||||
raise unittest.SkipTest(err)
|
||||
self.assertIn("Not Found", urllib.urlopen("http://127.0.0.1:43110/media//sites.json").read())
|
||||
self.assertIn("Not Found", urllib.urlopen("http://127.0.0.1:43110/media/./sites.json").read())
|
||||
self.assertIn("Not Found", urllib.urlopen("http://127.0.0.1:43110/media/../config.py").read())
|
||||
self.assertIn("Forbidden", urllib.urlopen("http://127.0.0.1:43110/media/./sites.json").read())
|
||||
self.assertIn("Forbidden", urllib.urlopen("http://127.0.0.1:43110/media/../config.py").read())
|
||||
self.assertIn("Forbidden", urllib.urlopen("http://127.0.0.1:43110/media/1P2rJhkQjYSHdHpWDDwxfRGYXaoWE8u1vV/../sites.json").read())
|
||||
self.assertIn("Forbidden", urllib.urlopen("http://127.0.0.1:43110/media/1P2rJhkQjYSHdHpWDDwxfRGYXaoWE8u1vV/..//sites.json").read())
|
||||
self.assertIn("Forbidden", urllib.urlopen("http://127.0.0.1:43110/media/1P2rJhkQjYSHdHpWDDwxfRGYXaoWE8u1vV/../../config.py").read())
|
||||
|
@ -113,6 +113,46 @@ class TestCase(unittest.TestCase):
|
|||
ok += 1
|
||||
|
||||
self.assertEqual(ok, len(SiteManager.TRACKERS))
|
||||
|
||||
|
||||
def testDb(self):
|
||||
print "Importing db..."
|
||||
from Db import Db
|
||||
for db_path in [os.path.abspath("data/test/zeronet.db"), "data/test/zeronet.db"]:
|
||||
print "Creating db using %s..." % db_path,
|
||||
schema = {
|
||||
"db_name": "TestDb",
|
||||
"db_file": "data/test/zeronet.db",
|
||||
"map": {
|
||||
"data.json": {
|
||||
"to_table": {
|
||||
"test": "test"
|
||||
}
|
||||
}
|
||||
},
|
||||
"tables": {
|
||||
"test": {
|
||||
"cols": [
|
||||
["test_id", "INTEGER"],
|
||||
["title", "TEXT"],
|
||||
],
|
||||
"indexes": ["CREATE UNIQUE INDEX test_id ON test(test_id)"],
|
||||
"schema_changed": 1426195822
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if os.path.isfile("data/test/zeronet.db"): os.unlink("data/test/zeronet.db")
|
||||
db = Db(schema, "data/test/zeronet.db")
|
||||
db.checkTables()
|
||||
db.close()
|
||||
|
||||
# Cleanup
|
||||
os.unlink("data/test/zeronet.db")
|
||||
os.rmdir("data/test/")
|
||||
print "ok"
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -204,7 +204,8 @@ class UiRequest(object):
|
|||
address = match.group("address")
|
||||
file_path = "data/%s/%s" % (address, match.group("inner_path"))
|
||||
allowed_dir = os.path.abspath("data/%s" % address) # Only files within data/sitehash allowed
|
||||
if ".." in file_path or not os.path.dirname(os.path.abspath(file_path)).startswith(allowed_dir): # File not in allowed path
|
||||
data_dir = os.path.abspath("data") # No files from data/ allowed
|
||||
if ".." in file_path or not os.path.dirname(os.path.abspath(file_path)).startswith(allowed_dir) or allowed_dir == data_dir: # File not in allowed path
|
||||
return self.error403()
|
||||
else:
|
||||
if config.debug and file_path.split("/")[-1].startswith("all."): # When debugging merge *.css to all.css and *.js to all.js
|
||||
|
|
Loading…
Reference in a new issue