1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
|
# IVLE - Informatics Virtual Learning Environment
# Copyright (C) 2007-2008 The University of Melbourne
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
# Module: studpath
# Author: Matt Giuca
# Date: 14/12/2007
# Provides functions for translating URLs into physical locations in the
# student directories in the local file system.
# Also performs common authorization, disallowing students from visiting paths
# they dont own.
import os
import stat
import pysvn
from ivle import util
# Make a Subversion client object (for published)
svnclient = pysvn.Client()
def url_to_local(config, urlpath):
"""Given a URL path (part of a URL query string, see below), returns a
tuple of
* the username of the student whose directory is being browsed
* the absolute path in the file system where that file will be
found within the student directories.
urlpath: Part of the URL, but only the part *after* the application. For
instance, given the URL "/ivle/browse/joe/mydir/myfile", urlpath will
be just "joe/mydir/myfile". The expected result is something like
("joe", "/home/informatics/jails/joe/home/joe/mydir/myfile").
Note that the actual location is not guaranteed by this interface (this
function serves as a single point of control as to how URLs map onto
student directories).
Returns (None, None) if the path is empty.
>>> stubconfig = {'paths': {'jails': {'mounts': '/jails'}}}
>>> url_to_local(stubconfig, 'joe/foo/bar/baz')
('joe', '/jails/joe/home/joe/foo/bar/baz')
>>> url_to_local(stubconfig, 'joe')
('joe', '/jails/joe/home/joe')
>>> url_to_local(stubconfig, 'joe/')
('joe', '/jails/joe/home/joe')
We have some protection from various potential attacks. An empty,
absolute, or ..-prefixed path yields a special result.
>>> url_to_local(stubconfig, '')
(None, None)
>>> url_to_local(stubconfig, '/foo')
(None, None)
>>> url_to_local(stubconfig, '../bar')
(None, None)
"""
# First normalise the path
urlpath = os.path.normpath(urlpath)
# Now if it begins with ".." or separator, then it's illegal
if urlpath.startswith("..") or urlpath.startswith(os.sep):
return (None, None)
# Note: User can be a group name. There is absolutely no difference in our
# current directory scheme.
(user, subpath) = util.split_path(urlpath)
if user is None: return (None, None)
# Join the user onto 'home' then the full path specified.
# This results in the user's name being repeated twice, which is in
# accordance with our directory scheme.
# (The first time is the name of the jail, the second is the user's home
# directory within the jail).
path = os.path.join(config['paths']['jails']['mounts'],
user, 'home', urlpath)
return (user, path)
def url_to_jailpaths(config, urlpath):
"""Given a URL path (part of a URL query string), returns a tuple of
* the username of the student whose directory is being browsed
* the absolute path where the jail will be located.
* the path of the file relative to the jail.
urlpath: See urlpath in url_to_local.
>>> stubconfig = {'paths': {'jails': {'mounts': '/jails'}}}
>>> url_to_jailpaths(stubconfig, "joe/mydir//myfile/.././myfile")
('joe', '/jails/joe', '/home/joe/mydir/myfile')
>>> url_to_jailpaths(stubconfig, "")
(None, None, None)
>>> url_to_jailpaths(stubconfig, "../foo")
(None, None, None)
>>> url_to_jailpaths(stubconfig, "/foo")
(None, None, None)
"""
# First normalise the path
urlpath = os.path.normpath(urlpath)
# Now if it begins with "..", or is absolute, then it's illegal
if urlpath.startswith("..") or os.path.isabs(urlpath):
return (None, None, None)
# Note: User can be a group name. There is absolutely no difference in our
# current directory scheme.
(user, subpath) = util.split_path(urlpath)
if user is None: return (None, None, None)
jail = os.path.join(config['paths']['jails']['mounts'], user)
path = to_home_path(urlpath)
return (user, jail, path)
def to_home_path(urlpath):
"""Given a URL path (eg. joe/foo/bar/baz), returns a path within the home.
>>> to_home_path('joe/foo/bar/baz')
'/home/joe/foo/bar/baz'
>>> to_home_path('joe/foo//bar/baz/../../')
'/home/joe/foo'
>>> to_home_path('joe/foo//bar/baz/../../../../../') is None
True
"""
urlpath = os.path.normpath(urlpath)
# If it begins with '..', it's illegal.
if urlpath.startswith(".."):
return None
return os.path.join('/home', urlpath)
def svnpublished(path):
"""Given a path on the LOCAL file system, determines whether the path has
its "ivle:published" property active (in subversion). Returns True
or False."""
# Read SVN properties for this path
try:
props = svnclient.propget("ivle:published", path, recurse=False)
except pysvn.ClientError:
# Not under version control? Then it isn't published.
return False
return len(props) > 0
def published(path):
"""Given a path on the LOCAL file system, determines whether the path has a
'.published' file. Returns True or False."""
publish_file_path = os.path.join(path,'.published')
return os.access(publish_file_path,os.F_OK)
def worldreadable(path):
"""Given a path on the LOCAL file system, determines whether the path is
world readble. Returns True or False."""
try:
mode = os.stat(path).st_mode
if mode & stat.S_IROTH:
return True
else:
return False
except OSError, e:
return False
def authorize(req, user):
"""Given a request, checks whether req.user is allowed to
access req.path. Returns None on authorization success. Raises
HTTP_FORBIDDEN on failure.
This is for general authorization (assuming not in public mode; this is
the standard auth code for fileservice, download and serve).
"""
# TODO: Groups
# First normalise the path
urlpath = os.path.normpath(req.path)
# Now if it begins with ".." or separator, then it's illegal
if urlpath.startswith("..") or urlpath.startswith(os.sep):
return False
(owner, _) = util.split_path(urlpath)
if user.login != owner:
return False
return True
def authorize_public(req):
"""A different kind of authorization. Rather than making sure the
logged-in user owns the file, this checks if the file is in a published
directory.
This is for the "public mode" of the serve app.
Same interface as "authorize" - None on success, HTTP_FORBIDDEN exception
raised on failure.
"""
_, path = url_to_local(req.config, req.path)
# Walk up the tree, and find the deepest directory.
while not os.path.isdir(path):
path = os.path.dirname(path)
if not (worldreadable(path) and published(path)):
return False
return True
|