Add fix for relative paths in user files lookup and add test

This commit is contained in:
Joseph Schorr 2017-04-21 15:54:15 -04:00
parent e9672326a8
commit 4bb725dce0
2 changed files with 18 additions and 1 deletions

View file

@ -0,0 +1,15 @@
import pytest
from data.userfiles import DelegateUserfiles
@pytest.mark.parametrize('path,expected', [
('foo', 'test/foo'),
('bar', 'test/bar'),
('/bar', 'test/bar'),
('../foo', 'test/foo'),
('foo/bar/baz', 'test/baz'),
('foo/../baz', 'test/baz'),
])
def test_filepath(path, expected):
userfiles = DelegateUserfiles(None, None, 'local_us', 'test')
assert userfiles.get_file_id_path(path) == expected

View file

@ -32,6 +32,7 @@ class UserfilesHandlers(View):
file_header_bytes = buffered.peek(1024)
return send_file(buffered, mimetype=self._magic.from_buffer(file_header_bytes))
except IOError:
logger.exception('Error reading user file')
abort(404)
def put(self, file_id):
@ -73,7 +74,8 @@ class DelegateUserfiles(object):
url_scheme=self._app.config['PREFERRED_URL_SCHEME'])
def get_file_id_path(self, file_id):
return os.path.join(self._prefix, file_id)
# Note: We use basename here to prevent paths with ..'s and absolute paths.
return os.path.join(self._prefix, os.path.basename(file_id))
def prepare_for_drop(self, mime_type, requires_cors=True):
""" Returns a signed URL to upload a file to our bucket. """