def test_uri_jail(self): start_uri = iri.os_path_to_uri(FILE('test_irihelpers.py')) #raise start_uri #print >> sys.stderr, "GRIPPO", start_uri start_base = start_uri.rsplit('/', 1)[0] + '/' #Only allow access files in the same directory as sampleresource.txt via URL jails auths = [(lambda u: u.rsplit('/', 1)[0] + '/' == start_base, True)] resolver = irihelpers.resolver(authorizations=auths) start_isrc = inputsource(start_uri, resolver=resolver) new_isrc = start_isrc.resolve('sampleresource.txt', start_base) self.assertEqual('Spam', new_isrc.stream.read().strip()) self.assertRaises(iri.IriError, resolver.resolve, 'http://google.com', start_base)
def akara_xslt(body, ctype, **params): ''' @xslt - URL to the XSLT transform to be applied all other query parameters are passed ot the XSLT processor as top-level params Sample request: curl --request POST --data-binary "@foo.xml" --header "Content-Type: application/xml" "http://*****:*****@xslt=http://hg.akara.info/amara/trunk/raw-file/tip/demo/data/identity.xslt" ''' if "@xslt" in params: akaraxslttransform = params["@xslt"] else: if not DEFAULT_TRANSFORM: raise ValueError('XSLT transform required') akaraxslttransform = DEFAULT_TRANSFORM restricted_resolver = irihelpers.resolver(authorizations=ALLOWED) #Using restricted_resolver should forbid Any URI access outside the specified "jails" #Including access through imports and includes body = inputsource(body, resolver=restricted_resolver) akaraxslttransform = inputsource(akaraxslttransform, resolver=restricted_resolver) result = transform(body, akaraxslttransform) response.add_header("Content-Type", result.parameters.media_type) return result