def file_display(request): """ Stream a file """ root_path = get_root_directory(request) rel_filepath = decode_path(request.params['name']) # remove the leading slash to be able to join rel_filepath = rel_filepath.strip('/') filepath = os.path.join(root_path, rel_filepath) filename = os.path.basename(filepath) company_code = request.context.code_compta if not code_is_not_null(company_code): logger.warn("Current context has no code") return HTTPForbidden() if not isprefixed(filename, company_code): logger.warn("Current context has no code") return HTTPForbidden() if not issubdir(root_path, filepath): logger.warn("Given filepath is not a subdirectory") logger.warn(filepath) logger.warn(root_path) return HTTPForbidden() if os.path.isfile(filepath): file_obj = AbstractFile(filename, filepath) file_obj.as_response(request) return request.response logger.warn("AbstractFile not found") logger.warn(filepath) return HTTPNotFound()
def test_issubdir(): assert(issubdir("/root/foo", "/root/foo/bar")) assert(not issubdir("/root/foo", "/root/bar")) assert(not issubdir("/root/foo", "/root/../../foo/bar"))
def test_issubdir(self): self.assertTrue(issubdir("/root/foo", "/root/foo/bar")) self.assertFalse(issubdir("/root/foo", "/root/bar")) self.assertFalse(issubdir("/root/foo", "/root/../../foo/bar"))
def test_issubdir(): assert (issubdir("/root/foo", "/root/foo/bar")) assert (not issubdir("/root/foo", "/root/bar")) assert (not issubdir("/root/foo", "/root/../../foo/bar"))