diff options
author | James Tunnicliffe <james.tunnicliffe@linaro.org> | 2012-08-22 12:16:46 +0100 |
---|---|---|
committer | James Tunnicliffe <james.tunnicliffe@linaro.org> | 2012-08-22 12:16:46 +0100 |
commit | 7569cc83aa8be5254bad38e0b1d7ef392f9ee8c7 (patch) | |
tree | 8904f7cea82221d51780933d3ba2f294973515bf /license_protected_downloads | |
parent | d19685ee691ccdfd4930eabaf17220f356a0b8ba (diff) |
If you can't see a file, return a 404 if user attempts to download it.
Diffstat (limited to 'license_protected_downloads')
-rw-r--r-- | license_protected_downloads/tests/test_views.py | 9 | ||||
-rw-r--r-- | license_protected_downloads/views.py | 24 |
2 files changed, 31 insertions, 2 deletions
diff --git a/license_protected_downloads/tests/test_views.py b/license_protected_downloads/tests/test_views.py index 1f6857c..4f8bedb 100644 --- a/license_protected_downloads/tests/test_views.py +++ b/license_protected_downloads/tests/test_views.py @@ -411,5 +411,14 @@ class ViewTests(TestCase): # If a build-info file is invalid, we don't allow access self.assertEqual(response.status_code, 403) + def test_unable_to_download_hidden_files(self): + target_file = '~linaro-android/staging-vexpress-a9/OPEN-EULA.txt' + url = urlparse.urljoin("http://testserver/", target_file) + response = self.client.get(url, follow=True) + + # This file exists, but isn't listed so we shouldn't be able to + # download it. + self.assertEqual(response.status_code, 404) + if __name__ == '__main__': unittest.main() diff --git a/license_protected_downloads/views.py b/license_protected_downloads/views.py index 806800d..b41ea10 100644 --- a/license_protected_downloads/views.py +++ b/license_protected_downloads/views.py @@ -26,7 +26,7 @@ import config def _hidden_file(file_name): - hidden_files = ["BUILD-INFO.txt", "EULA.txt", ".htaccess", "HEADER.html"] + hidden_files = ["BUILD-INFO.txt", "EULA.txt", r"^\.", "HEADER.html"] for pattern in hidden_files: if re.search(pattern, file_name): return True @@ -34,7 +34,7 @@ def _hidden_file(file_name): def _hidden_dir(file_name): - hidden_files = [".*openid.*", ".*restricted.*", ".*private.*"] + hidden_files = [".*openid.*", ".*restricted.*", ".*private.*", r"^\."] for pattern in hidden_files: if re.search(pattern, file_name): return True @@ -246,6 +246,20 @@ def redirect_to_root(request): return redirect('/') +def file_listed(path, url): + """Boolean response to "does this files show up in a directory listing.""" + file_name = os.path.basename(path) + dir_name = os.path.dirname(path) + + found = False + file_list = dir_list(url, dir_name) + for file in file_list: + if file["name"] == file_name: + found = True + + return found + + def file_server(request, path): url = path result = test_path(path) @@ -293,6 +307,12 @@ def file_server(request, path): file_name = os.path.basename(path) + # If the file listing doesn't contain the file requested for download, + # return a 404. This prevents the download of BUILD-INFO.txt and other + # hidden files. + if not file_listed(path, url): + raise Http404 + response = None if get_client_ip(request) in config.INTERNAL_HOSTS: digests = 'OPEN' |