diff options
| -rw-r--r-- | CHANGES.txt | 11 | ||||
| -rw-r--r-- | pyramid/traversal.py | 14 |
2 files changed, 17 insertions, 8 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index a946805bc..0afc57404 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -16,6 +16,17 @@ Bug Fixes inappropriately URL-quoted path segments in filenames when asking for files from the filesystem. +- Within ``pyramid.traversal.traversal_path`` , canonicalize URL segments + from UTF-8 to Unicode before checking whether a segment matches literally + one of ``.``, the empty string, or ``..`` in case there's some sneaky way + someone might tunnel those strings via UTF-8 that don't match the literals + before decoded. + +Features +-------- + +- Belt-and-suspenders security measure: canonicalize encoded URL + Documentation ------------- diff --git a/pyramid/traversal.py b/pyramid/traversal.py index 4beb27af3..b871b8229 100644 --- a/pyramid/traversal.py +++ b/pyramid/traversal.py @@ -475,19 +475,17 @@ def traversal_path(path): path = path.strip('/') clean = [] for segment in path.split('/'): - segment = urllib.unquote(segment) # deal with spaces in path segment - if not segment or segment=='.': + segment = urllib.unquote(segment) + try: + segment = segment.decode('utf-8') + except UnicodeDecodeError, e: + raise URLDecodeError(e.encoding, e.object, e.start, e.end, e.reason) + if not segment or segment == '.': continue elif segment == '..': if clean: del clean[-1] else: - try: - segment = segment.decode('utf-8') - except UnicodeDecodeError, e: - raise URLDecodeError( - e.encoding, e.object, e.start, e.end, e.reason - ) clean.append(segment) return tuple(clean) |