equal
deleted
inserted
replaced
31 from cubicweb.misc.source_highlight import highlight_html, generate_css, has_pygments |
31 from cubicweb.misc.source_highlight import highlight_html, generate_css, has_pygments |
32 |
32 |
33 |
33 |
34 DEBUG_DISPLAY_SOURCE_CODE_PATH = '_debug_display_source_code' |
34 DEBUG_DISPLAY_SOURCE_CODE_PATH = '_debug_display_source_code' |
35 |
35 |
|
36 FILES_WHITE_LIST = set() |
|
37 |
36 |
38 |
37 def source_code_url(object_or_class): |
39 def source_code_url(object_or_class): |
38 if object_or_class is None: |
40 if object_or_class is None: |
39 return "" |
41 return "" |
40 |
42 |
44 try: |
46 try: |
45 file_path = inspect.getsourcefile(object_or_class) |
47 file_path = inspect.getsourcefile(object_or_class) |
46 except TypeError: |
48 except TypeError: |
47 logging.debug("Error while trying to source code of '%s'" % object_or_class) |
49 logging.debug("Error while trying to source code of '%s'" % object_or_class) |
48 return "" |
50 return "" |
|
51 |
|
52 FILES_WHITE_LIST.add(file_path) |
49 |
53 |
50 try: |
54 try: |
51 source_code, line = inspect.getsourcelines(object_or_class) |
55 source_code, line = inspect.getsourcelines(object_or_class) |
52 except OSError: # when we couldn't read the source code/line |
56 except OSError: # when we couldn't read the source code/line |
53 return '<a href="../%s?file=%s" target="_blank"><></a>' % ( |
57 return '<a href="../%s?file=%s" target="_blank"><></a>' % ( |
79 source_code_file = request.params["file"] |
83 source_code_file = request.params["file"] |
80 |
84 |
81 if not os.path.exists(source_code_file): |
85 if not os.path.exists(source_code_file): |
82 return Response("Error: file '%s' doesn't exist on the filesystem." % source_code_file) |
86 return Response("Error: file '%s' doesn't exist on the filesystem." % source_code_file) |
83 |
87 |
|
88 # security |
|
89 if source_code_file not in FILES_WHITE_LIST: |
|
90 return Response("Error: access to file is not authorized") |
|
91 |
84 try: |
92 try: |
85 content = open(source_code_file, "r").read() |
93 content = open(source_code_file, "r").read() |
86 except Exception as e: |
94 except Exception as e: |
87 return Response("Error: while opening file '%s' got the error: %s" % (source_code_file, e)) |
95 return Response("Error: while opening file '%s' got the error: %s" % (source_code_file, e)) |
88 |
96 |