[#MODPYTHON-23] mod_python.publisher default index file traversal

mod_python

mod_python.publisher default index file traversal

Created: 26/Feb/05 04:13 PM Updated: 05/Mar/06 01:41 PM

Return to search

Component/s:

None

Affects Version/s:

3.1.4

Fix Version/s:

3.2.7

Time Tracking:

Not Specified

Resolution Date:

30/Apr/05 03:53 PM

Description

« Hide

If one has an "index.py" file and one is using:

  SetHandler mod_python
  PythonHandler mod_python.publisher

with the "index.py" file containing:

  class MyObject:
    def method(self):
      return "MyObject.method()"
    def __str__(self):
      return "MyObject.__str__()"

  myobject = MyObject()

One can access the method of the class instance as:

  /index/myobject/method

and the object itself as:

  /index/myobject

One can also leave out "index" in the latter and just say:

  /myobject

and it will still work. If one however says:

  /myobject/method

it doesn't work.

In summary, when using fallback mechanism onto "index.py", traversal
into any object does not work.

To fix this a few changes would be needed in publisher.py. First off change:

        # try again, using default module, perhaps this is a
        # /directory/function (as opposed to /directory/module/function)
        func_path = module_name
        module_name = "index"

to:

        # try again, using default module, perhaps this is a
        # /directory/function (as opposed to /directory/module/function)
        #func_path = module_name
        if func_path:
            func_path = module_name + '.' + func_path
        else:
            func_path = module_name
        module_name = "index"

One then must move the code:

    # default to 'index' if no path_info was given
    if not func_path:
        func_path = "index"

This should be relocated to after the module is imported. Ie., just before:

    # does it have an __auth__?

One also needs to change:

    # if any part of the path begins with "_", abort
    if func_path[0] == '_' or func_path.count("._"):
        raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND

to:

    # if any part of the path begins with "_", abort
    if func_path[:1] == '_' or func_path.count("._"):
        raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND

This is needed because the movement of the setting to func_path to "index"
means that func_path may not be set at that point. Thus use "[:1]" to cope
with that, or nest it in an "if" statement such as:

    # if any part of the path begins with "_", abort
    if func_path and (func_path[0] == '_' or func_path.count("._")):
        raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND

Note that actual changes given above untested on publisher.py itself.

Description

If one has an "index.py" file and one is using: SetHandler mod_python PythonHandler mod_python.publisher with the "index.py" file containing: class MyObject: def method(self): return "MyObject.method()" def __str__(self): return "MyObject.__str__()" myobject = MyObject() One can access the method of the class instance as: /index/myobject/method and the object itself as: /index/myobject One can also leave out "index" in the latter and just say: /myobject and it will still work. If one however says: /myobject/method it doesn't work. In summary, when using fallback mechanism onto "index.py", traversal into any object does not work. To fix this a few changes would be needed in publisher.py. First off change: # try again, using default module, perhaps this is a # /directory/function (as opposed to /directory/module/function) func_path = module_name module_name = "index" to: # try again, using default module, perhaps this is a # /directory/function (as opposed to /directory/module/function) #func_path = module_name if func_path: func_path = module_name + '.' + func_path else: func_path = module_name module_name = "index" One then must move the code: # default to 'index' if no path_info was given if not func_path: func_path = "index" This should be relocated to after the module is imported. Ie., just before: # does it have an __auth__? One also needs to change: # if any part of the path begins with "_", abort if func_path[0] == '_' or func_path.count("._"): raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND to: # if any part of the path begins with "_", abort if func_path[:1] == '_' or func_path.count("._"): raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND This is needed because the movement of the setting to func_path to "index" means that func_path may not be set at that point. Thus use "[:1]" to cope with that, or nest it in an "if" statement such as: # if any part of the path begins with "_", abort if func_path and (func_path[0] == '_' or func_path.count("._")): raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND Note that actual changes given above untested on publisher.py itself.

Show »

All

Comments

Work Log

Change History

Subversion Commits

Sort Order:

No work has yet been logged on this issue.