Preserve empty PATH_INFO from WSGI and strip base prefix from destination

This commit is contained in:
Unrud 2017-05-30 22:34:41 +02:00
parent 0601b81aa7
commit 8536ffee44
2 changed files with 7 additions and 6 deletions

View File

@ -357,8 +357,10 @@ class Application:
environ.get("SCRIPT_NAME", "")).rstrip("/") environ.get("SCRIPT_NAME", "")).rstrip("/")
self.logger.debug("Sanitized script name: %s", environ["SCRIPT_NAME"]) self.logger.debug("Sanitized script name: %s", environ["SCRIPT_NAME"])
base_prefix = environ["SCRIPT_NAME"] base_prefix = environ["SCRIPT_NAME"]
# Sanitize request URI # Sanitize request URI (a WSGI server indicates with an empty path,
environ["PATH_INFO"] = storage.sanitize_path(environ["PATH_INFO"]) # that the URL targets the application root without a trailing slash)
if environ["PATH_INFO"]:
environ["PATH_INFO"] = storage.sanitize_path(environ["PATH_INFO"])
self.logger.debug("Sanitized path: %s", environ["PATH_INFO"]) self.logger.debug("Sanitized path: %s", environ["PATH_INFO"])
path = environ["PATH_INFO"] path = environ["PATH_INFO"]
if base_prefix and path.startswith(base_prefix): if base_prefix and path.startswith(base_prefix):
@ -597,6 +599,9 @@ class Application:
if not self._access(user, path, "w"): if not self._access(user, path, "w"):
return NOT_ALLOWED return NOT_ALLOWED
to_path = storage.sanitize_path(to_url.path) to_path = storage.sanitize_path(to_url.path)
if not (to_path + "/").startswith(base_prefix + "/"):
return NOT_ALLOWED
to_path = to_path[len(base_prefix):]
if not self._access(user, to_path, "w"): if not self._access(user, to_path, "w"):
return NOT_ALLOWED return NOT_ALLOWED

View File

@ -466,10 +466,6 @@ class Collection(BaseCollection):
@classmethod @classmethod
def discover(cls, path, depth="0"): def discover(cls, path, depth="0"):
if path is None:
# Wrong URL
return
# Path should already be sanitized # Path should already be sanitized
sane_path = sanitize_path(path).strip("/") sane_path = sanitize_path(path).strip("/")
attributes = sane_path.split("/") attributes = sane_path.split("/")