diff --git a/src/Db/Db.py b/src/Db/Db.py index cd3d4e71..34dee0ba 100644 --- a/src/Db/Db.py +++ b/src/Db/Db.py @@ -16,9 +16,12 @@ class Db: def connect(self): - self.log.debug("Connecting (sqlite version: %s)..." % sqlite3.version) + self.log.debug("Connecting to %s (sqlite version: %s)..." % (self.db_path, sqlite3.version)) if not os.path.isdir(self.db_dir): # Directory not exits yet os.makedirs(self.db_dir) + self.log.debug("Created Db path: %s" % self.db_dir) + if not os.path.isfile(self.db_path): + self.log.debug("Db file not exits yet: %s" % self.db_path) self.conn = sqlite3.connect(self.db_path) self.conn.row_factory = sqlite3.Row self.conn.isolation_level = None diff --git a/src/Test/test.py b/src/Test/test.py index eb4ec0d7..741b3012 100644 --- a/src/Test/test.py +++ b/src/Test/test.py @@ -12,8 +12,8 @@ class TestCase(unittest.TestCase): except Exception, err: raise unittest.SkipTest(err) self.assertIn("Not Found", urllib.urlopen("http://127.0.0.1:43110/media//sites.json").read()) - self.assertIn("Not Found", urllib.urlopen("http://127.0.0.1:43110/media/./sites.json").read()) - self.assertIn("Not Found", urllib.urlopen("http://127.0.0.1:43110/media/../config.py").read()) + self.assertIn("Forbidden", urllib.urlopen("http://127.0.0.1:43110/media/./sites.json").read()) + self.assertIn("Forbidden", urllib.urlopen("http://127.0.0.1:43110/media/../config.py").read()) self.assertIn("Forbidden", urllib.urlopen("http://127.0.0.1:43110/media/1P2rJhkQjYSHdHpWDDwxfRGYXaoWE8u1vV/../sites.json").read()) self.assertIn("Forbidden", urllib.urlopen("http://127.0.0.1:43110/media/1P2rJhkQjYSHdHpWDDwxfRGYXaoWE8u1vV/..//sites.json").read()) self.assertIn("Forbidden", urllib.urlopen("http://127.0.0.1:43110/media/1P2rJhkQjYSHdHpWDDwxfRGYXaoWE8u1vV/../../config.py").read()) @@ -113,6 +113,46 @@ class TestCase(unittest.TestCase): ok += 1 self.assertEqual(ok, len(SiteManager.TRACKERS)) + + + def testDb(self): + print "Importing db..." + from Db import Db + for db_path in [os.path.abspath("data/test/zeronet.db"), "data/test/zeronet.db"]: + print "Creating db using %s..." % db_path, + schema = { + "db_name": "TestDb", + "db_file": "data/test/zeronet.db", + "map": { + "data.json": { + "to_table": { + "test": "test" + } + } + }, + "tables": { + "test": { + "cols": [ + ["test_id", "INTEGER"], + ["title", "TEXT"], + ], + "indexes": ["CREATE UNIQUE INDEX test_id ON test(test_id)"], + "schema_changed": 1426195822 + } + } + } + + if os.path.isfile("data/test/zeronet.db"): os.unlink("data/test/zeronet.db") + db = Db(schema, "data/test/zeronet.db") + db.checkTables() + db.close() + + # Cleanup + os.unlink("data/test/zeronet.db") + os.rmdir("data/test/") + print "ok" + + diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py index 6a6ce86c..d140ebcd 100644 --- a/src/Ui/UiRequest.py +++ b/src/Ui/UiRequest.py @@ -204,7 +204,8 @@ class UiRequest(object): address = match.group("address") file_path = "data/%s/%s" % (address, match.group("inner_path")) allowed_dir = os.path.abspath("data/%s" % address) # Only files within data/sitehash allowed - if ".." in file_path or not os.path.dirname(os.path.abspath(file_path)).startswith(allowed_dir): # File not in allowed path + data_dir = os.path.abspath("data") # No files from data/ allowed + if ".." in file_path or not os.path.dirname(os.path.abspath(file_path)).startswith(allowed_dir) or allowed_dir == data_dir: # File not in allowed path return self.error403() else: if config.debug and file_path.split("/")[-1].startswith("all."): # When debugging merge *.css to all.css and *.js to all.js