Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def _loc_to_file_path(self, path, environ=None):
"""Convert resource path to a unicode absolute file path.
Optional environ argument may be useful e.g. in relation to per-user
sub-folder chrooting inside root_folder_path.
"""
root_path = self.root_folder_path
assert root_path is not None
assert compat.is_native(root_path)
assert compat.is_native(path)
path_parts = path.strip("/").split("/")
file_path = os.path.abspath(os.path.join(root_path, *path_parts))
if not file_path.startswith(root_path):
raise RuntimeError(
"Security exception: tried to access file outside root: {}".format(
file_path
)
)
# Convert to unicode
file_path = util.to_unicode_safe(file_path)
return file_path
def _loc_to_file_path(self, path, environ=None):
"""Convert resource path to a unicode absolute file path.
Optional environ argument may be useful e.g. in relation to per-user
sub-folder chrooting inside root_folder_path.
"""
root_path = self.root_folder_path
assert root_path is not None
assert compat.is_native(root_path)
assert compat.is_native(path)
path_parts = path.strip("/").split("/")
file_path = os.path.abspath(os.path.join(root_path, *path_parts))
if not file_path.startswith(root_path):
raise RuntimeError(
"Security exception: tried to access file outside root: {}".format(
file_path
)
)
# Convert to unicode
file_path = util.to_unicode_safe(file_path)
return file_path
def validate_lock(lock):
assert compat.is_native(lock["root"])
assert lock["root"].startswith("/")
assert lock["type"] == "write"
assert lock["scope"] in ("shared", "exclusive")
assert lock["depth"] in ("0", "infinity")
assert compat.is_bytes(lock["owner"]), lock # XML bytestring
# raises TypeError:
timeout = float(lock["timeout"])
assert timeout > 0 or timeout == -1, "timeout must be positive or -1"
assert compat.is_native(lock["principal"])
if "token" in lock:
assert compat.is_native(lock["token"])
# environ["wsgidav.provider"] = share_data["provider"]
environ["wsgidav.provider"] = provider
# TODO: test with multi-level realms: 'aa/bb'
# TODO: test security: url contains '..'
# Transform SCRIPT_NAME and PATH_INFO
# (Since path and share are unquoted, this also fixes quoted values.)
if share == "/" or not share:
environ["PATH_INFO"] = path
else:
environ["SCRIPT_NAME"] += share
environ["PATH_INFO"] = path[len(share) :]
# assert isinstance(path, str)
assert compat.is_native(path)
# See http://mail.python.org/pipermail/web-sig/2007-January/002475.html
# for some clarification about SCRIPT_NAME/PATH_INFO format
# SCRIPT_NAME starts with '/' or is empty
assert environ["SCRIPT_NAME"] == "" or environ["SCRIPT_NAME"].startswith("/")
# SCRIPT_NAME must not have a trailing '/'
assert environ["SCRIPT_NAME"] in ("", "/") or not environ[
"SCRIPT_NAME"
].endswith("/")
# PATH_INFO starts with '/'
assert environ["PATH_INFO"] == "" or environ["PATH_INFO"].startswith("/")
start_time = time.time()
def _start_response_wrapper(status, response_headers, exc_info=None):
# Postprocess response headers
headerDict = {}
def __init__(
self, status_code, context_info=None, src_exception=None, err_condition=None
):
# allow passing of Pre- and Postconditions, see
# http://www.webdav.org/specs/rfc4918.html#precondition.postcondition.xml.elements
self.value = int(status_code)
self.context_info = context_info
self.src_exception = src_exception
self.err_condition = err_condition
if compat.is_native(err_condition):
self.err_condition = DAVErrorCondition(err_condition)
assert (
self.err_condition is None or type(self.err_condition) is DAVErrorCondition
)
See http://www.webdav.org/specs/rfc4918.html#lock-model
http://www.webdav.org/specs/rfc4918.html#rfc.section.7.4
TODO: verify assumptions:
- Parent locks WILL NOT be conflicting, if they are depth-0.
- Exclusive child locks WILL be conflicting, even if they are owned by .
@param url: URL that shall be modified, created, moved, or deleted
@param depth: "0"|"infinity"
@param token_list: list of lock tokens, that the principal submitted in If: header
@param principal: name of the principal requesting a lock
@return: None or raise error
"""
assert compat.is_native(url)
assert depth in ("0", "infinity")
_logger.debug(
"check_write_permission({}, {}, {}, {})".format(
url, depth, token_list, principal
)
)
# Error precondition to collect conflicting URLs
errcond = DAVErrorCondition(PRECONDITION_CODE_LockConflict)
self._lock.acquire_read()
try:
# Check url and all parents for conflicting locks
u = url
while u:
ll = self.get_url_lock_list(u)
def __init__(self, path, is_collection, environ):
assert compat.is_native(path)
assert path == "" or path.startswith("/")
self.provider = environ["wsgidav.provider"]
self.path = path
self.is_collection = is_collection
self.environ = environ
self.name = util.get_uri_name(self.path)
# Note: we encode using UTF-8 here (falling back to ISO-8859-1)!
# This seems to be wrong, since per PEP 3333 PATH_INFO is always ISO-8859-1 encoded
# (see https://www.python.org/dev/peps/pep-3333/#unicode-issues).
# But also seems to resolve errors when accessing resources with Chinese characters, for
# example.
# This is done by default for Python 3, but can be turned off in settings.
if self.re_encode_path_info:
path = environ["PATH_INFO"] = compat.wsgi_to_bytes(path).decode()
# We optionally unquote PATH_INFO here, although this should already be
# done by the server (#8).
if self.unquote_path_info:
path = compat.unquote(environ["PATH_INFO"])
# GC issue 22: Pylons sends root as u'/'
if not compat.is_native(path):
_logger.warning("Got non-native PATH_INFO: {!r}".format(path))
# path = path.encode("utf8")
path = compat.to_native(path)
# Always adding these values to environ:
environ["wsgidav.config"] = self.config
environ["wsgidav.provider"] = None
environ["wsgidav.verbose"] = self.verbose
# Find DAV provider that matches the share
share, provider = self.resolve_provider(path)
# share = None
# lower_path = path.lower()
# for r in self.sorted_share_list:
# # @@: Case sensitivity should be an option of some sort here;
# # os.path.normpath might give the preferred case for a filename.