test /files/ gives 403 on hidden files

2024-12-27 04:20:22 +08:00 · 2013-10-22 15:23:46 -07:00 · 2013-10-22 15:23:46 -07:00 · 1f90f4d7bb
commit 1f90f4d7bb
parent 2fcc7fe97f
2 changed files with 55 additions and 1 deletions
--- a/IPython/html/services/notebooks/tests/test_notebooks_api.py
+++ b/IPython/html/services/notebooks/tests/test_notebooks_api.py
@ -102,10 +102,12 @@ class APITest(NotebookTestBase):
        nbdir = self.notebook_dir.name

        for d in self.dirs:
+            d.replace('/', os.path.sep)
            if not os.path.isdir(pjoin(nbdir, d)):
                os.mkdir(pjoin(nbdir, d))

        for d, name in self.dirs_nbs:
+            d = d.replace('/', os.path.sep)
            with io.open(pjoin(nbdir, d, '%s.ipynb' % name), 'w') as f:
                nb = new_notebook(name=name)
                write(nb, f, format='ipynb')
@ -309,4 +311,4 @@ class APITest(NotebookTestBase):
        self.assertEqual(r.status_code, 204)
        cps = self.nb_api.get_checkpoints('a.ipynb', 'foo').json()
        self.assertEqual(cps, [])
-    
+
--- a/IPython/html/tests/test_files.py
+++ b/IPython/html/tests/test_files.py
@ -0,0 +1,52 @@
+# coding: utf-8
+"""Test the /files/ handler."""
+
+import io
+import os
+from unicodedata import normalize
+
+pjoin = os.path.join
+
+import requests
+
+from IPython.html.utils import url_path_join
+from .launchnotebook import NotebookTestBase
+from IPython.utils import py3compat
+
+class FilesTest(NotebookTestBase):
+    def test_hidden_files(self):
+        not_hidden = [
+            u'å b',
+            pjoin(u'å b/ç. d')
+        ]
+        hidden = [
+            u'.å b',
+            pjoin(u'å b/.ç d')
+        ]
+        dirs = not_hidden + hidden
+        
+        nbdir = self.notebook_dir.name
+        for d in dirs:
+            path = pjoin(nbdir, d.replace('/', os.path.sep))
+            if not os.path.exists(path):
+                os.mkdir(path)
+            with io.open(pjoin(path, 'foo'), 'w', encoding='utf8') as f:
+                f.write(path)
+            with io.open(pjoin(path, '.foo'), 'w', encoding='utf8') as f:
+                f.write(path + '.foo')
+        url = self.base_url()
+        
+        for d in not_hidden:
+            path = pjoin(nbdir, d.replace('/', os.path.sep))
+            r = requests.get(url_path_join(url, 'files', d, 'foo'))
+            r.raise_for_status()
+            reply = py3compat.cast_unicode(r.content)
+            self.assertEqual(normalize('NFC', path), normalize('NFC', reply))
+            r = requests.get(url_path_join(url, 'files', d, '.foo'))
+            self.assertEqual(r.status_code, 403)
+            
+        for d in hidden:
+            path = pjoin(nbdir, d.replace('/', os.path.sep))
+            for foo in ('foo', '.foo'):
+                r = requests.get(url_path_join(url, 'files', d, foo))
+                self.assertEqual(r.status_code, 403)