Verify that base_prefix starts with '/'

This commit is contained in:
Unrud 2022-01-22 00:34:38 +01:00
parent 340582f84c
commit 17a5e5b6e0
3 changed files with 9 additions and 6 deletions

View File

@ -4,7 +4,7 @@
## 3.1.2 ## 3.1.2
* Verify that base prefix doesn't end with '/' * Verify that base prefix starts with '/' but doesn't end with '/'
* Improve base prefix log message * Improve base prefix log message
* Never send body for HEAD requests (again) * Never send body for HEAD requests (again)

View File

@ -191,9 +191,10 @@ class Application(ApplicationPartDelete, ApplicationPartHead,
base_prefix_src = ("HTTP_X_SCRIPT_NAME" if "HTTP_X_SCRIPT_NAME" in base_prefix_src = ("HTTP_X_SCRIPT_NAME" if "HTTP_X_SCRIPT_NAME" in
environ else "SCRIPT_NAME") environ else "SCRIPT_NAME")
base_prefix = environ.get(base_prefix_src, "") base_prefix = environ.get(base_prefix_src, "")
if base_prefix.endswith("/"): if base_prefix and (base_prefix[0] != "/" or base_prefix[-1] == "/"):
logger.error("Base prefix (from %s) must not end with '/': %r", logger.error("Base prefix (from %s) must %s with '/': %r",
base_prefix_src, base_prefix) base_prefix_src, "not end" if base_prefix[-1] == "/"
else "start", base_prefix)
if base_prefix_src == "HTTP_X_SCRIPT_NAME": if base_prefix_src == "HTTP_X_SCRIPT_NAME":
return response(*httputils.BAD_REQUEST) return response(*httputils.BAD_REQUEST)
return response(*httputils.INTERNAL_SERVER_ERROR) return response(*httputils.INTERNAL_SERVER_ERROR)

View File

@ -67,7 +67,8 @@ permissions: RrWw""")
def test_root_broken_script_name(self) -> None: def test_root_broken_script_name(self) -> None:
"""GET request at "/" with SCRIPT_NAME ending with "/".""" """GET request at "/" with SCRIPT_NAME ending with "/"."""
self.get("/", check=500, SCRIPT_NAME="/radicale/") for script_name in ["/", "/radicale/", "radicale"]:
self.get("/", check=500, SCRIPT_NAME=script_name)
def test_root_http_x_script_name(self) -> None: def test_root_http_x_script_name(self) -> None:
"""GET request at "/" with HTTP_X_SCRIPT_NAME.""" """GET request at "/" with HTTP_X_SCRIPT_NAME."""
@ -78,7 +79,8 @@ permissions: RrWw""")
def test_root_broken_http_x_script_name(self) -> None: def test_root_broken_http_x_script_name(self) -> None:
"""GET request at "/" with HTTP_X_SCRIPT_NAME ending with "/".""" """GET request at "/" with HTTP_X_SCRIPT_NAME ending with "/"."""
self.get("/", check=400, HTTP_X_SCRIPT_NAME="/radicale/") for script_name in ["/", "/radicale/", "radicale"]:
self.get("/", check=400, HTTP_X_SCRIPT_NAME=script_name)
def test_sanitized_path(self) -> None: def test_sanitized_path(self) -> None:
"""GET request with unsanitized paths.""" """GET request with unsanitized paths."""