From ea9f0e52c8335c87911d202534acf24bd79140b1 Mon Sep 17 00:00:00 2001 From: ziajka Date: Wed, 21 Jun 2017 10:26:36 +0200 Subject: [PATCH] Fixes #2108 (gns3-gui): getting project file with leading slashes issue (#1078) --- gns3server/handlers/api/controller/project_handler.py | 2 +- tests/handlers/api/controller/test_project.py | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/gns3server/handlers/api/controller/project_handler.py b/gns3server/handlers/api/controller/project_handler.py index 232147f6..4c45955d 100644 --- a/gns3server/handlers/api/controller/project_handler.py +++ b/gns3server/handlers/api/controller/project_handler.py @@ -396,7 +396,7 @@ class ProjectHandler: controller = Controller.instance() project = yield from controller.get_loaded_project(request.match_info["project_id"]) path = request.match_info["path"] - path = os.path.normpath(path) + path = os.path.normpath(path).strip('/') # Raise error if user try to escape if path[0] == ".": diff --git a/tests/handlers/api/controller/test_project.py b/tests/handlers/api/controller/test_project.py index d8aecd25..7d0f3584 100644 --- a/tests/handlers/api/controller/test_project.py +++ b/tests/handlers/api/controller/test_project.py @@ -218,6 +218,15 @@ def test_write_file(http_controller, tmpdir, project): assert response.status == 403 +def test_write_and_get_file_with_leading_slashes_in_filename(http_controller, tmpdir, loop, project): + response = http_controller.post("/projects/{project_id}/files//hello".format(project_id=project.id), body="world", raw=True) + assert response.status == 200 + + response = http_controller.get("/projects/{project_id}/files//hello".format(project_id=project.id), raw=True) + assert response.status == 200 + assert response.body == b"world" + + def test_import(http_controller, tmpdir, controller): with zipfile.ZipFile(str(tmpdir / "test.zip"), 'w') as myzip: