Commit e385262f authored by David Sikter's avatar David Sikter
Browse files

Fixed issue with raw paths starting with '/'.

parent 6d0c4f1d
Pipeline #101664 passed with stages
in 17 minutes and 40 seconds
......@@ -563,6 +563,7 @@ async def get_upload_raw_path(
except Exception as e:
logger.error('exception while streaming download', exc_info=e)
upload_files.close()
raise
@router.post(
......
......@@ -359,7 +359,13 @@ class StagingUploadFiles(UploadFiles):
'''
if not self._is_authorized():
raise Restricted
if path is None or '..' in path.split(os.path.sep):
if path is None:
return None
# Normalize the path
path = os.path.normpath(path)
if path == '.':
path = ''
if path.startswith(os.path.sep) or '..' in path.split(os.path.sep):
return None
return os.path.join(self.os_path, 'raw', path)
......
......@@ -574,7 +574,12 @@ def test_get_upload_entry(
'test_user', 'id_published', '', '*', True, None,
200, 'application/zip', ['test_content', 'test_content/subdir/test_entry_01/1.aux'],
id='published-dir-compressed-root'),
])
pytest.param(
'test_user', 'silly_value', 'test_content/subdir/test_entry_01/1.aux', '*', True, None,
404, None, None, id='bad-upload-id'),
pytest.param(
'test_user', 'id_published', 'test_content/silly_name', '*', True, None,
404, None, None, id='bad-path')])
def test_get_upload_raw_path(
client, example_data, test_user_auth, other_test_user_auth, admin_user_auth,
user, upload_id, path, accept, compress, re_pattern,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment