Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.1.4
-
None
-
None
Description
If one has an "index.py" file and one is using:
SetHandler mod_python
PythonHandler mod_python.publisher
with the "index.py" file containing:
class MyObject:
def method(self):
return "MyObject.method()"
def _str_(self):
return "MyObject._str_()"
myobject = MyObject()
One can access the method of the class instance as:
/index/myobject/method
and the object itself as:
/index/myobject
One can also leave out "index" in the latter and just say:
/myobject
and it will still work. If one however says:
/myobject/method
it doesn't work.
In summary, when using fallback mechanism onto "index.py", traversal
into any object does not work.
To fix this a few changes would be needed in publisher.py. First off change:
- try again, using default module, perhaps this is a
- /directory/function (as opposed to /directory/module/function)
func_path = module_name
module_name = "index"
to:
- try again, using default module, perhaps this is a
- /directory/function (as opposed to /directory/module/function)
#func_path = module_name
if func_path:
func_path = module_name + '.' + func_path
else:
func_path = module_name
module_name = "index"
One then must move the code:
- default to 'index' if no path_info was given
if not func_path:
func_path = "index"
This should be relocated to after the module is imported. Ie., just before:
- does it have an _auth_?
One also needs to change:
- if any part of the path begins with "_", abort
if func_path[0] == '' or func_path.count("."):
raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
to:
- if any part of the path begins with "_", abort
if func_path[:1] == '' or func_path.count("."):
raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
This is needed because the movement of the setting to func_path to "index"
means that func_path may not be set at that point. Thus use "[:1]" to cope
with that, or nest it in an "if" statement such as:
- if any part of the path begins with "_", abort
if func_path and (func_path[0] == '' or func_path.count(".")):
raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
Note that actual changes given above untested on publisher.py itself.