mirror of
https://github.com/GNS3/gns3-server.git
synced 2025-01-18 07:23:47 +02:00
Merge pull request #1188 from GNS3/fix-post-file-normalization
Fixes path normalization during file upload on nodes (Fixes: #2276)
This commit is contained in:
commit
67c78ba2e3
@ -367,6 +367,7 @@ class NodeHandler:
|
|||||||
path = request.match_info["path"]
|
path = request.match_info["path"]
|
||||||
path = force_unix_path(path)
|
path = force_unix_path(path)
|
||||||
|
|
||||||
|
|
||||||
# Raise error if user try to escape
|
# Raise error if user try to escape
|
||||||
if path[0] == ".":
|
if path[0] == ".":
|
||||||
raise aiohttp.web.HTTPForbidden
|
raise aiohttp.web.HTTPForbidden
|
||||||
@ -401,7 +402,7 @@ class NodeHandler:
|
|||||||
project = yield from Controller.instance().get_loaded_project(request.match_info["project_id"])
|
project = yield from Controller.instance().get_loaded_project(request.match_info["project_id"])
|
||||||
node = project.get_node(request.match_info["node_id"])
|
node = project.get_node(request.match_info["node_id"])
|
||||||
path = request.match_info["path"]
|
path = request.match_info["path"]
|
||||||
path = os.path.normpath(path)
|
path = force_unix_path(path)
|
||||||
|
|
||||||
# Raise error if user try to escape
|
# Raise error if user try to escape
|
||||||
if path[0] == ".":
|
if path[0] == ".":
|
||||||
|
@ -258,3 +258,20 @@ def test_post_file(http_controller, tmpdir, project, node, compute):
|
|||||||
|
|
||||||
response = http_controller.get("/projects/{project_id}/nodes/{node_id}/files/../hello".format(project_id=project.id, node_id=node.id), raw=True)
|
response = http_controller.get("/projects/{project_id}/nodes/{node_id}/files/../hello".format(project_id=project.id, node_id=node.id), raw=True)
|
||||||
assert response.status == 404
|
assert response.status == 404
|
||||||
|
|
||||||
|
|
||||||
|
def test_get_and_post_with_nested_paths_normalization(http_controller, tmpdir, project, node, compute):
|
||||||
|
response = MagicMock()
|
||||||
|
response.body = b"world"
|
||||||
|
compute.http_query = AsyncioMagicMock(return_value=response)
|
||||||
|
response = http_controller.get("/projects/{project_id}/nodes/{node_id}/files/hello\\nested".format(project_id=project.id, node_id=node.id), raw=True)
|
||||||
|
assert response.status == 200
|
||||||
|
assert response.body == b'world'
|
||||||
|
|
||||||
|
compute.http_query.assert_called_with("GET", "/projects/{project_id}/files/project-files/vpcs/{node_id}/hello/nested".format(project_id=project.id, node_id=node.id), timeout=None, raw=True)
|
||||||
|
|
||||||
|
compute.http_query = AsyncioMagicMock()
|
||||||
|
response = http_controller.post("/projects/{project_id}/nodes/{node_id}/files/hello\\nested".format(project_id=project.id, node_id=node.id), body=b"hello", raw=True)
|
||||||
|
assert response.status == 201
|
||||||
|
|
||||||
|
compute.http_query.assert_called_with("POST", "/projects/{project_id}/files/project-files/vpcs/{node_id}/hello/nested".format(project_id=project.id, node_id=node.id), data=b'hello', timeout=None, raw=True)
|
||||||
|
Loading…
Reference in New Issue
Block a user