Example #1
0
def ssi_open(rootdir, path, mode):
    rootdir = asciiify(rootdir)
    path = asciiify(path)
    path = os.sep.join([rootdir, path])
    path = os.path.normpath(path)
    path = asciiify(path)
    if not path.startswith(rootdir):
        raise ValueError("ssi: Path name below root directory")
    return open(path, mode)
Example #2
0
def ssi_open(rootdir, path, mode):
    ''' Wrapper for open() that makes security checks '''
    rootdir = asciiify(rootdir)
    path = asciiify(path)
    path = os.sep.join([rootdir, path])
    path = os.path.normpath(path)
    path = asciiify(path)
    if not path.startswith(rootdir):
        raise ValueError("ssi: Path name below root directory")
    return open(path, mode)
Example #3
0
    def process_request(self, stream, request):
        ''' Process a request and generate the response '''
        response = Message()

        if not request.uri.startswith("/"):
            response.compose(code="403", reason="Forbidden",
                             body="403 Forbidden")
            stream.send_response(request, response)
            return

        for prefix, child in self.childs.items():
            if request.uri.startswith(prefix):
                child.process_request(stream, request)
                return

        rootdir = self.conf.get("http.server.rootdir", "")
        if not rootdir:
            response.compose(code="403", reason="Forbidden",
                             body="403 Forbidden")
            stream.send_response(request, response)
            return

        if request.uri == "/":
            response.compose_redirect(stream, "/api/index")
            stream.send_response(request, response)
            return

        # Paranoid mode: ON
        rootdir = utils.asciiify(rootdir)
        uripath = utils.asciiify(request.uri)
        fullpath = os.path.normpath(rootdir + uripath)
        fullpath = utils.asciiify(fullpath)

        if not fullpath.startswith(rootdir):
            response.compose(code="403", reason="Forbidden",
                             body="403 Forbidden")
            stream.send_response(request, response)
            return

        try:
            filep = open(fullpath, "rb")
        except (IOError, OSError):
            LOG.error("HTTP: Not Found: %s (WWW: %s)" % (fullpath, rootdir))
            response.compose(code="404", reason="Not Found",
                             body="404 Not Found")
            stream.send_response(request, response)
            return

        if self.conf.get("http.server.mime", True):
            mimetype, encoding = mimetypes.guess_type(fullpath)

            # Do not attempt SSI if the resource is, say, gzipped
            if not encoding:
                if mimetype == "text/html":
                    ssi = self.conf.get("http.server.ssi", False)
                    if ssi:
                        body = ssi_replace(rootdir, filep)
                        filep = StringIO.StringIO(body)

                #XXX Do we need to enforce the charset?
                if mimetype in ("text/html", "application/x-javascript"):
                    mimetype += "; charset=UTF-8"
            else:
                response["content-encoding"] = encoding

        else:
            mimetype = "text/plain"

        response.compose(code="200", reason="Ok", body=filep,
                         mimetype=mimetype)
        if request.method == "HEAD":
            utils.safe_seek(filep, 0, os.SEEK_END)
        stream.send_response(request, response)