Mercurial > bitten > bitten-test
diff bitten/web_ui.py @ 528:f3bf55de8a34
Prevent path highlighting from passing non-canonical paths to svn:
* ignore prefixes like `-I` (so that `-I../..` does not resolve down to `.`)
* Normalize the path before looking in the repository
* Check that nothing like `../` will allow the link to point out of the configured repository section
* Add a test for the bad links that we could reproduce producing the `is_canonical` crash
* Should fix #206
| author | dfraser |
|---|---|
| date | Wed, 18 Mar 2009 08:50:17 +0000 |
| parents | be811cb659b7 |
| children | b4d3d9cbf200 |
line wrap: on
line diff
--- a/bitten/web_ui.py +++ b/bitten/web_ui.py @@ -612,7 +612,7 @@ implements(ILogFormatter) - _fileref_re = re.compile('(?P<path>[\w.-]+(?:/[\w.-]+)+)(?P<line>(:\d+))?') + _fileref_re = re.compile('(?P<prefix>-[A-Za-z])?(?P<path>[\w.-]+(?:/[\w.-]+)+)(?P<line>(:\d+))?') def get_formatter(self, req, build): """Return the log message formatter function.""" @@ -630,9 +630,14 @@ path = posixpath.join(path, part) if path not in cache: try: - repos.get_node(posixpath.join(config.path, path), - build.rev) - cache[path] = True + full_path = posixpath.join(config.path, path) + full_path = posixpath.normpath(full_path) + if full_path.startswith(config.path + "/") or full_path == config.path: + repos.get_node(full_path, + build.rev) + cache[path] = True + else: + cache[path] = False except TracError: cache[path] = False if cache[path] is False: