Preserve empty PATH_INFO from WSGI and strip base prefix from destination

This commit is contained in:
Unrud 2017-05-30 22:34:41 +02:00
parent 0601b81aa7
commit 8536ffee44
2 changed files with 7 additions and 6 deletions

View File

@ -357,7 +357,9 @@ class Application:
environ.get("SCRIPT_NAME", "")).rstrip("/")
self.logger.debug("Sanitized script name: %s", environ["SCRIPT_NAME"])
base_prefix = environ["SCRIPT_NAME"]
# Sanitize request URI
# Sanitize request URI (a WSGI server indicates with an empty path,
# that the URL targets the application root without a trailing slash)
if environ["PATH_INFO"]:
environ["PATH_INFO"] = storage.sanitize_path(environ["PATH_INFO"])
self.logger.debug("Sanitized path: %s", environ["PATH_INFO"])
path = environ["PATH_INFO"]
@ -597,6 +599,9 @@ class Application:
if not self._access(user, path, "w"):
return NOT_ALLOWED
to_path = storage.sanitize_path(to_url.path)
if not (to_path + "/").startswith(base_prefix + "/"):
return NOT_ALLOWED
to_path = to_path[len(base_prefix):]
if not self._access(user, to_path, "w"):
return NOT_ALLOWED

View File

@ -466,10 +466,6 @@ class Collection(BaseCollection):
@classmethod
def discover(cls, path, depth="0"):
if path is None:
# Wrong URL
return
# Path should already be sanitized
sane_path = sanitize_path(path).strip("/")
attributes = sane_path.split("/")