dulwich-users team mailing list archive

Thread
Date

Re: [PATCH v3 3/4] repo.Repo.get_named_file: normalize case

To: Jelmer Vernooij <jelmer@xxxxxxxxx>
From: Tay Ray Chuan <rctay89@xxxxxxxxx>
Date: Mon, 27 Dec 2010 00:45:14 +0800
Cc: dulwich-users@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20101226163636.GA29477@vernstok.nl>

On Mon, Dec 27, 2010 at 12:36 AM, Jelmer Vernooij <jelmer@xxxxxxxxx> wrote:
> On Mon, Dec 27, 2010 at 12:15:45AM +0800, Tay Ray Chuan wrote:
[snip]
>> +def _norm_path(path):
>> +    return os.path.normcase(os.path.realpath(path))
> Thanks for the patches.
>
> I'm not sure this is a useful thing to factor out.

It makes things neater. In the next patch (#4), we go through the
whole gamut again for the parent directory.

> Also, why the os.path.realpath? We're just going to open these files, why do we care
> about their canonical location?

A malicious user could ask for an path like

  /../some/file

realpath "escapes" these for us.

-- 
Cheers,
Ray Chuan

Follow ups

Re: [PATCH v3 3/4] repo.Repo.get_named_file: normalize case
From: Jelmer Vernooij, 2010-12-26

References

Re: [PATCH v2] web: change '/' only if repo is physical
From: Dave Borowitz, 2010-12-22
[PATCH v3 0/4] web paths handling
From: Tay Ray Chuan, 2010-12-26
[PATCH v3 1/4] Repo.get_named_file: fix spelling in doc
From: Tay Ray Chuan, 2010-12-26
[PATCH v3 2/4] web: move url-to-path step into get_named_file
From: Tay Ray Chuan, 2010-12-26
[PATCH v3 3/4] repo.Repo.get_named_file: normalize case
From: Tay Ray Chuan, 2010-12-26
Re: [PATCH v3 3/4] repo.Repo.get_named_file: normalize case
From: Jelmer Vernooij, 2010-12-26