use twisted.web.static, not nevow.static, for public_html/

This avoids a privacy leak when the web.static= directory is configured
but doesn't exist (which is almost always, since we set `web.static =
public_html` in the default config file, but nothing automatically
creates it). The nevow.static.File class tries to os.stat() the
directory before doing anything else, which causes an exception, which
renders the traceback to the HTTP client as a 500 Internal Server Error,
and the traceback includes the full path of the missing public_html
directory, which reveals the node's basedir.

Plain twisted.web.static.File doesn't do this check, and a missing
web.static directory just results in a plain old 404.

Closes ticket:1720.
This commit is contained in:
Brian Warner 2016-04-28 00:35:52 -07:00
parent bde22ad1f7
commit 5a5ba643e6
3 changed files with 13 additions and 2 deletions

View File

@ -4440,6 +4440,17 @@ class Web(WebMixin, WebErrorMixin, testutil.StallMixin, testutil.ReallyEqualMixi
d.addCallback(_check)
return d
def test_static_missing(self):
# self.staticdir does not exist yet, because we used self.mktemp()
d = self.assertFailure(self.GET("/static"), error.Error)
# nevow.static throws an exception when it tries to os.stat the
# missing directory, which gives the client a 500 Internal Server
# Error, and the traceback reveals the parent directory name. By
# switching to plain twisted.web.static, this gives a normal 404 that
# doesn't reveal anything. This addresses #1720.
d.addCallback(lambda e: self.assertEquals(str(e), "404 Not Found"))
return d
class IntroducerWeb(unittest.TestCase):
def setUp(self):

View File

@ -1,8 +1,8 @@
import re, time
from twisted.application import service, strports, internet
from twisted.web import http
from twisted.web import http, static
from twisted.internet import defer
from nevow import appserver, inevow, static
from nevow import appserver, inevow
from allmydata.util import log, fileutil
from allmydata.web import introweb, root

0
topfiles/1720.bugfix Normal file
View File