[Repoze-checkins] r1210 - repoze.debug/trunk/repoze/debug

Chris McDonough chrism at agendaless.com
Tue Jul 1 13:29:04 EDT 2008 

Author: Chris McDonough <chrism at agendaless.com>
Date: Tue Jul  1 13:29:03 2008
New Revision: 1210

Log:
Dont catch errors; use less of WebOb; remove potential security hazard from getStatic by using os.listdir.


Modified:
   repoze.debug/trunk/repoze/debug/ui.py

Modified: repoze.debug/trunk/repoze/debug/ui.py
==============================================================================
--- repoze.debug/trunk/repoze/debug/ui.py	(original)
+++ repoze.debug/trunk/repoze/debug/ui.py	Tue Jul  1 13:29:03 2008
@@ -9,7 +9,6 @@
 import time
 
 from webob import exc
-from webob import Request
 from webob import Response
 
 _HERE = os.path.abspath(os.path.dirname(__file__))
@@ -32,30 +31,26 @@
 
     def __call__(self, environ, start_response):
         """Pick apart this debug URL and return the correct response"""
+        path = environ['PATH_INFO']
 
-        # Make WebOb versions of request and response
-        req = Request(environ)
-
-        try:
-            # Process the request
-            if req.url.find(gui_flag + "/static/") > -1:
-                resp = self.getStatic(req)
-            elif req.url.find(gui_flag + "feed.xml"):
-                resp = self.getFeed(req)
-        except ValueError, e:
-            resp = exc.HTTPBadRequest(str(e))
-        except exc.HTTPException, e:
-            resp = e
+        if '/static/' in path:
+            resp = self.getStatic(path)
+        elif gui_flag + '/feed.xml' in path:
+            resp = self.getFeed()
+        else:
+            raise ValueError('No such handler for debug ui: %s', req.url)
 
         return resp(environ, start_response)
 
-    def getStatic(self, req):
+    def getStatic(self, path):
+        fn = path.split('/')[-1]
 
-        fn = req.url.split("/")[-1]
+        if not (fn in os.listdir(self.static_dir)):
+            raise ValueError('No such static file %s' % fn)
+        
         filename = os.path.join(self.static_dir, fn)
         res = Response(content_type=get_mimetype(filename))
         res.body = open(filename, 'rb').read()
-
         return res
 
     def _generateFeedTagURI(self, when, pid):
@@ -71,7 +66,7 @@
         pid = self.middleware.pid
         return 'tag:repoze.org,%s:%s-%s' % (date, entry['id'], pid)
 
-    def getFeed(self, req):
+    def getFeed(self):
         """Get XML representing information in the middleware"""
 
         entries_xml = []

More information about the Repoze-checkins mailing list