Preserve empty PATH_INFO from WSGI and strip base prefix from destination
This commit is contained in:
parent
0601b81aa7
commit
8536ffee44
@ -357,8 +357,10 @@ class Application:
|
|||||||
environ.get("SCRIPT_NAME", "")).rstrip("/")
|
environ.get("SCRIPT_NAME", "")).rstrip("/")
|
||||||
self.logger.debug("Sanitized script name: %s", environ["SCRIPT_NAME"])
|
self.logger.debug("Sanitized script name: %s", environ["SCRIPT_NAME"])
|
||||||
base_prefix = environ["SCRIPT_NAME"]
|
base_prefix = environ["SCRIPT_NAME"]
|
||||||
# Sanitize request URI
|
# Sanitize request URI (a WSGI server indicates with an empty path,
|
||||||
environ["PATH_INFO"] = storage.sanitize_path(environ["PATH_INFO"])
|
# that the URL targets the application root without a trailing slash)
|
||||||
|
if environ["PATH_INFO"]:
|
||||||
|
environ["PATH_INFO"] = storage.sanitize_path(environ["PATH_INFO"])
|
||||||
self.logger.debug("Sanitized path: %s", environ["PATH_INFO"])
|
self.logger.debug("Sanitized path: %s", environ["PATH_INFO"])
|
||||||
path = environ["PATH_INFO"]
|
path = environ["PATH_INFO"]
|
||||||
if base_prefix and path.startswith(base_prefix):
|
if base_prefix and path.startswith(base_prefix):
|
||||||
@ -597,6 +599,9 @@ class Application:
|
|||||||
if not self._access(user, path, "w"):
|
if not self._access(user, path, "w"):
|
||||||
return NOT_ALLOWED
|
return NOT_ALLOWED
|
||||||
to_path = storage.sanitize_path(to_url.path)
|
to_path = storage.sanitize_path(to_url.path)
|
||||||
|
if not (to_path + "/").startswith(base_prefix + "/"):
|
||||||
|
return NOT_ALLOWED
|
||||||
|
to_path = to_path[len(base_prefix):]
|
||||||
if not self._access(user, to_path, "w"):
|
if not self._access(user, to_path, "w"):
|
||||||
return NOT_ALLOWED
|
return NOT_ALLOWED
|
||||||
|
|
||||||
|
@ -466,10 +466,6 @@ class Collection(BaseCollection):
|
|||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def discover(cls, path, depth="0"):
|
def discover(cls, path, depth="0"):
|
||||||
if path is None:
|
|
||||||
# Wrong URL
|
|
||||||
return
|
|
||||||
|
|
||||||
# Path should already be sanitized
|
# Path should already be sanitized
|
||||||
sane_path = sanitize_path(path).strip("/")
|
sane_path = sanitize_path(path).strip("/")
|
||||||
attributes = sane_path.split("/")
|
attributes = sane_path.split("/")
|
||||||
|
Loading…
Reference in New Issue
Block a user