More db logging, db testcase, dont allow to request files from root db dir

src/Db/Db.py

@@ -16,9 +16,12 @@ class Db:
 
 
 	def connect(self):
-		self.log.debug("Connecting (sqlite version: %s)..." % sqlite3.version)
+		self.log.debug("Connecting to %s (sqlite version: %s)..." % (self.db_path, sqlite3.version))
 		if not os.path.isdir(self.db_dir): # Directory not exits yet
 			os.makedirs(self.db_dir)
+			self.log.debug("Created Db path: %s" % self.db_dir)
+		if not os.path.isfile(self.db_path):
+			self.log.debug("Db file not exits yet: %s" % self.db_path)
 		self.conn = sqlite3.connect(self.db_path)
 		self.conn.row_factory = sqlite3.Row
 		self.conn.isolation_level = None

src/Test/test.py

@@ -12,8 +12,8 @@ class TestCase(unittest.TestCase):
 		except Exception, err:
 			raise unittest.SkipTest(err)
 		self.assertIn("Not Found", urllib.urlopen("http://127.0.0.1:43110/media//sites.json").read())
-		self.assertIn("Not Found", urllib.urlopen("http://127.0.0.1:43110/media/./sites.json").read())
-		self.assertIn("Not Found", urllib.urlopen("http://127.0.0.1:43110/media/../config.py").read())
+		self.assertIn("Forbidden", urllib.urlopen("http://127.0.0.1:43110/media/./sites.json").read())
+		self.assertIn("Forbidden", urllib.urlopen("http://127.0.0.1:43110/media/../config.py").read())
 		self.assertIn("Forbidden", urllib.urlopen("http://127.0.0.1:43110/media/1P2rJhkQjYSHdHpWDDwxfRGYXaoWE8u1vV/../sites.json").read())
 		self.assertIn("Forbidden", urllib.urlopen("http://127.0.0.1:43110/media/1P2rJhkQjYSHdHpWDDwxfRGYXaoWE8u1vV/..//sites.json").read())
 		self.assertIn("Forbidden", urllib.urlopen("http://127.0.0.1:43110/media/1P2rJhkQjYSHdHpWDDwxfRGYXaoWE8u1vV/../../config.py").read())
@@ -113,6 +113,46 @@ class TestCase(unittest.TestCase):
 					ok += 1
 
 		self.assertEqual(ok, len(SiteManager.TRACKERS))
+
+
+	def testDb(self):
+		print "Importing db..."
+		from Db import Db
+		for db_path in [os.path.abspath("data/test/zeronet.db"), "data/test/zeronet.db"]:
+			print "Creating db using %s..." % db_path,
+			schema = {
+				"db_name": "TestDb",
+				"db_file": "data/test/zeronet.db",
+				"map": {
+					"data.json": {
+						"to_table": {
+							"test": "test"
+						}
+					}
+				},
+				"tables": { 
+					"test": {
+						"cols": [
+							["test_id", "INTEGER"],  
+							["title", "TEXT"], 
+						],
+						"indexes": ["CREATE UNIQUE INDEX test_id ON test(test_id)"],
+						"schema_changed": 1426195822
+					}
+				}
+			}
+
+			if os.path.isfile("data/test/zeronet.db"): os.unlink("data/test/zeronet.db")
+			db = Db(schema, "data/test/zeronet.db")
+			db.checkTables()
+			db.close()
+
+			# Cleanup
+			os.unlink("data/test/zeronet.db")
+			os.rmdir("data/test/")
+			print "ok"
+
+
 				
 
 

src/Ui/UiRequest.py

@@ -204,7 +204,8 @@ class UiRequest(object):
 			address = match.group("address")
 			file_path = "data/%s/%s" % (address, match.group("inner_path"))
 			allowed_dir = os.path.abspath("data/%s" % address) # Only files within data/sitehash allowed
-			if ".." in file_path or not os.path.dirname(os.path.abspath(file_path)).startswith(allowed_dir): # File not in allowed path
+			data_dir = os.path.abspath("data") # No files from data/ allowed
+			if ".." in file_path or not os.path.dirname(os.path.abspath(file_path)).startswith(allowed_dir) or allowed_dir == data_dir: # File not in allowed path
 				return self.error403()
 			else:
 				if config.debug and file_path.split("/")[-1].startswith("all."): # When debugging merge *.css to all.css and *.js to all.js