mercurial-crew-with-dirclash: comparison mercurial/hgweb.py

equal deleted inserted replaced

-:dca000ef7d52
+:a9343f9d7365
 return os.stat(cl_path).st_mtime
 else:
 return os.stat(hg_path).st_mtime
 def staticfile(directory, fname):
-fname = os.path.realpath(os.path.join(directory, fname))
+"""return a file inside directory with guessed content-type header
+fname always uses '/' as directory separator and isn't allowed to
+contain unusual path components.
+Content-type is guessed using the mimetypes module.
+Return an empty string if fname is illegal or file not found.
+"""
+parts = fname.split('/')
+path = directory
+for part in parts:
+if (part in ('', os.curdir, os.pardir) or
+os.sep in part or os.altsep is not None and os.altsep in part):
+return ""
+path = os.path.join(path, part)
 try:
-# the static dir should be a substring in the real
+os.stat(path)
-# file path, if it is not, we have something strange
+ct = mimetypes.guess_type(path)[0] or "text/plain"
-# going on => security breach attempt?
+return "Content-type: %s\n\n%s" % (ct, file(path).read())
-#
+except (TypeError, OSError):
-# This will either:
+# illegal fname or unreadable file
-#   1) find the `static' path at index 0  =  success
-#   2) find the `static' path at other index  =  error
-#   3) not find the `static' path  =  ValueError generated
-if fname.index(directory) != 0:
-# generate ValueError manually
-raise ValueError()
-os.stat(fname)
-ct = mimetypes.guess_type(fname)[0] or "text/plain"
-return "Content-type: %s\n\n%s" % (ct, file(fname).read())
-except ValueError:
-# security breach attempt
 return ""
-except OSError, e:
-if e.errno == errno.ENOENT:
-return ""
 class hgrequest(object):
 def __init__(self, inp=None, out=None, env=None):
 self.inp = inp or sys.stdin
 self.out = out or sys.stdout

changeset 1825	a9343f9d7365
parent 1796	a373881fdf2a
child 1830	4ced57680ce7