def escape(self): '''Make sure that the path is correctly escaped''' self._path = quote(unquote(self._path.decode("utf-8"))).encode("utf-8") return self
def _on_read(self, sock, data): """Read Event Handler Process any incoming data appending it to an internal buffer. Split the buffer by the standard HTTP delimiter CRLF and create Raw Event per line. Any unfinished lines of text, leave in the buffer. """ if sock in self._buffers: parser = self._buffers[sock] else: self._buffers[sock] = parser = HttpParser(0, True) # If we receive an SSL handshake at the start of a request # and we're not a secure server, then immediately close the # client connection since we can't respond to it anyway. if is_ssl_handshake(data) and not self._server.secure: if sock in self._buffers: del self._buffers[sock] if sock in self._clients: del self._clients[sock] return self.fire(close(sock)) _scheme = "https" if self._server.secure else "http" parser.execute(data, len(data)) if not parser.is_headers_complete(): if parser.errno is not None: if parser.errno == BAD_FIRST_LINE: req = wrappers.Request(sock, server=self._server) else: req = wrappers.Request( sock, parser.get_method(), parser.get_scheme() or _scheme, parser.get_path(), parser.get_version(), parser.get_query_string(), server=self._server ) req.server = self._server res = wrappers.Response(req, encoding=self._encoding) del self._buffers[sock] return self.fire(httperror(req, res, 400)) return if sock in self._clients: req, res = self._clients[sock] else: method = parser.get_method() scheme = parser.get_scheme() or _scheme path = parser.get_path() version = parser.get_version() query_string = parser.get_query_string() req = wrappers.Request( sock, method, scheme, path, version, query_string, headers=parser.get_headers(), server=self._server ) res = wrappers.Response(req, encoding=self._encoding) self._clients[sock] = (req, res) rp = req.protocol sp = self.protocol if rp[0] != sp[0]: # the major HTTP version differs return self.fire(httperror(req, res, 505)) res.protocol = "HTTP/{0:d}.{1:d}".format(*min(rp, sp)) res.close = not parser.should_keep_alive() clen = int(req.headers.get("Content-Length", "0")) if clen and not parser.is_message_complete(): return if hasattr(sock, "getpeercert"): peer_cert = sock.getpeercert() if peer_cert: e = request(req, res, peer_cert) else: e = request(req, res) else: e = request(req, res) # Guard against unwanted request paths (SECURITY). path = req.path _path = req.uri._path if (path.encode(self._encoding) != _path) and ( quote(path).encode(self._encoding) != _path): return self.fire( redirect(req, res, [req.uri.utf8()], 301) ) req.body = BytesIO(parser.recv_body()) del self._buffers[sock] self.fire(e)
def _on_request(self, event, request, response): if self.path is not None and not request.path.startswith(self.path): return path = request.path if self.path is not None: path = path[len(self.path):] path = unquote(path.strip("/")) if path: location = os.path.abspath(os.path.join(self.docroot, path)) else: location = os.path.abspath(os.path.join(self.docroot, ".")) if not os.path.exists(location): return if not location.startswith(os.path.dirname(self.docroot)): return # hacking attemp e.g. /foo/../../../../../etc/shadow # Is it a file we can serve directly? if os.path.isfile(location): # Don't set cookies for static content response.cookie.clear() try: return serve_file(request, response, location) finally: event.stop() # Is it a directory? elif os.path.isdir(location): # Try to serve one of default files first.. for default in self.defaults: location = os.path.abspath( os.path.join(self.docroot, path, default)) if os.path.exists(location): # Don't set cookies for static content response.cookie.clear() try: return serve_file(request, response, location) finally: event.stop() # .. serve a directory listing if allowed to. if self.dirlisting: directory = os.path.abspath(os.path.join(self.docroot, path)) cur_dir = os.path.join(self.path, path) if self.path else "" if not path: url_up = "" else: if self.path is None: url_up = os.path.join("/", os.path.split(path)[0]) else: url_up = os.path.join(cur_dir, "..") url_up = '<li><a href="%s">%s</a></li>' % (url_up, "..") listing = [] for item in os.listdir(directory): if not item.startswith("."): url = os.path.join("/", path, cur_dir, item) location = os.path.abspath( os.path.join(self.docroot, path, item)) if os.path.isdir(location): li = '<li><a href="%s/">%s/</a></li>' % ( quote(url), item) else: li = '<li><a href="%s">%s</a></li>' % (quote(url), item) listing.append(li) ctx = {} ctx["directory"] = cur_dir or os.path.join("/", cur_dir, path) ctx["url_up"] = url_up ctx["listing"] = "\n".join(listing) try: return _dirlisting_template.safe_substitute(ctx) finally: event.stop()
def _on_request(self, event, request, response): if self.path is not None and not request.path.startswith(self.path): return path = request.path if self.path is not None: path = path[len(self.path):] path = unquote(path.strip("/")) if path: location = os.path.abspath(os.path.join(self.docroot, path)) else: location = os.path.abspath(os.path.join(self.docroot, ".")) if not os.path.exists(location): return if not location.startswith(os.path.dirname(self.docroot)): return # hacking attemp e.g. /foo/../../../../../etc/shadow # Is it a file we can serve directly? if os.path.isfile(location): # Don't set cookies for static content response.cookie.clear() try: return serve_file(request, response, location) finally: event.stop() # Is it a directory? elif os.path.isdir(location): # Try to serve one of default files first.. for default in self.defaults: location = os.path.abspath( os.path.join(self.docroot, path, default) ) if os.path.exists(location): # Don't set cookies for static content response.cookie.clear() try: return serve_file(request, response, location) finally: event.stop() # .. serve a directory listing if allowed to. if self.dirlisting: directory = os.path.abspath(os.path.join(self.docroot, path)) cur_dir = os.path.join(self.path, path) if self.path else "" if not path: url_up = "" else: if self.path is None: url_up = os.path.join("/", os.path.split(path)[0]) else: url_up = os.path.join(cur_dir, "..") url_up = '<li><a href="%s">%s</a></li>' % (url_up, "..") listing = [] for item in os.listdir(directory): if not item.startswith("."): url = os.path.join("/", path, cur_dir, item) location = os.path.abspath( os.path.join(self.docroot, path, item) ) if os.path.isdir(location): li = '<li><a href="%s/">%s/</a></li>' % ( quote(url), item ) else: li = '<li><a href="%s">%s</a></li>' % ( quote(url), item ) listing.append(li) ctx = {} ctx["directory"] = cur_dir or os.path.join("/", cur_dir, path) ctx["url_up"] = url_up ctx["listing"] = "\n".join(listing) try: return _dirlisting_template.safe_substitute(ctx) finally: event.stop()
def _on_read(self, sock, data): """Read Event Handler Process any incoming data appending it to an internal buffer. Split the buffer by the standard HTTP delimiter CRLF and create Raw Event per line. Any unfinished lines of text, leave in the buffer. """ if sock in self._buffers: parser = self._buffers[sock] else: self._buffers[sock] = parser = HttpParser(0, True) # If we receive an SSL handshake at the start of a request # and we're not a secure server, then immediately close the # client connection since we can't respond to it anyway. if is_ssl_handshake(data) and not self._server.secure: if sock in self._buffers: del self._buffers[sock] if sock in self._clients: del self._clients[sock] return self.fire(close(sock)) _scheme = "https" if self._server.secure else "http" parser.execute(data, len(data)) if not parser.is_headers_complete(): if parser.errno is not None: if parser.errno == BAD_FIRST_LINE: req = wrappers.Request(sock, server=self._server) else: req = wrappers.Request(sock, parser.get_method(), parser.get_scheme() or _scheme, parser.get_path(), parser.get_version(), parser.get_query_string(), server=self._server) req.server = self._server res = wrappers.Response(req, encoding=self._encoding) del self._buffers[sock] return self.fire(httperror(req, res, 400)) return if sock in self._clients: req, res = self._clients[sock] else: method = parser.get_method() scheme = parser.get_scheme() or _scheme path = parser.get_path() version = parser.get_version() query_string = parser.get_query_string() req = wrappers.Request(sock, method, scheme, path, version, query_string, headers=parser.get_headers(), server=self._server) res = wrappers.Response(req, encoding=self._encoding) self._clients[sock] = (req, res) rp = req.protocol sp = self.protocol if rp[0] != sp[0]: # the major HTTP version differs return self.fire(httperror(req, res, 505)) res.protocol = "HTTP/{0:d}.{1:d}".format(*min(rp, sp)) res.close = not parser.should_keep_alive() clen = int(req.headers.get("Content-Length", "0")) if clen and not parser.is_message_complete(): return if hasattr(sock, "getpeercert"): peer_cert = sock.getpeercert() if peer_cert: e = request(req, res, peer_cert) else: e = request(req, res) else: e = request(req, res) # Guard against unwanted request paths (SECURITY). path = req.path _path = req.uri._path if (path.encode(self._encoding) != _path) and (quote(path).encode( self._encoding) != _path): return self.fire(redirect(req, res, [req.uri.utf8()], 301)) req.body = BytesIO(parser.recv_body()) del self._buffers[sock] self.fire(e)