summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris McDonough <chrism@plope.com>2011-09-08 03:36:52 -0400
committerChris McDonough <chrism@plope.com>2011-09-08 03:36:52 -0400
commit83faa0086d7bb816ea4b84148610a7cfe751e538 (patch)
treecd5c16ae50884114807d8630dd651ebd30016f2a
parentb01e971f204184e2ede685183d62d390a9081c74 (diff)
downloadpyramid-83faa0086d7bb816ea4b84148610a7cfe751e538.tar.gz
pyramid-83faa0086d7bb816ea4b84148610a7cfe751e538.tar.bz2
pyramid-83faa0086d7bb816ea4b84148610a7cfe751e538.zip
- Within ``pyramid.traversal.traversal_path`` , canonicalize URL segments
from UTF-8 to Unicode before checking whether a segment matches literally one of ``.``, the empty string, or ``..`` in case there's some sneaky way someone might tunnel those strings via UTF-8 that don't match the literals before decoded.
Diffstat
-rw-r--r--CHANGES.txt11
-rw-r--r--pyramid/traversal.py14
2 files changed, 17 insertions, 8 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index a946805bc..0afc57404 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -16,6 +16,17 @@ Bug Fixes
inappropriately URL-quoted path segments in filenames when asking for files
from the filesystem.
+- Within ``pyramid.traversal.traversal_path`` , canonicalize URL segments
+ from UTF-8 to Unicode before checking whether a segment matches literally
+ one of ``.``, the empty string, or ``..`` in case there's some sneaky way
+ someone might tunnel those strings via UTF-8 that don't match the literals
+ before decoded.
+
+Features
+--------
+
+- Belt-and-suspenders security measure: canonicalize encoded URL
+
Documentation
-------------
diff --git a/pyramid/traversal.py b/pyramid/traversal.py
index 4beb27af3..b871b8229 100644
--- a/pyramid/traversal.py
+++ b/pyramid/traversal.py
@@ -475,19 +475,17 @@ def traversal_path(path):
path = path.strip('/')
clean = []
for segment in path.split('/'):
- segment = urllib.unquote(segment) # deal with spaces in path segment
- if not segment or segment=='.':
+ segment = urllib.unquote(segment)
+ try:
+ segment = segment.decode('utf-8')
+ except UnicodeDecodeError, e:
+ raise URLDecodeError(e.encoding, e.object, e.start, e.end, e.reason)
+ if not segment or segment == '.':
continue
elif segment == '..':
if clean:
del clean[-1]
else:
- try:
- segment = segment.decode('utf-8')
- except UnicodeDecodeError, e:
- raise URLDecodeError(
- e.encoding, e.object, e.start, e.end, e.reason
- )
clean.append(segment)
return tuple(clean)
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-11 22:41:39 +0000