From a14d321f1c6152d42341db206d63bbb8b123a327 2013-10-22 22:23:46
From: MinRK <benjaminrk@gmail.com>
Date: 2013-10-22 22:23:46
Subject: [PATCH] test /files/ gives 403 on hidden files
---

diff --git a/IPython/html/services/notebooks/tests/test_notebooks_api.py b/IPython/html/services/notebooks/tests/test_notebooks_api.py
index 9b68169..9f3648d 100644
--- a/IPython/html/services/notebooks/tests/test_notebooks_api.py
+++ b/IPython/html/services/notebooks/tests/test_notebooks_api.py
@@ -102,10 +102,12 @@ class APITest(NotebookTestBase):
         nbdir = self.notebook_dir.name
 
         for d in self.dirs:
+            d.replace('/', os.path.sep)
             if not os.path.isdir(pjoin(nbdir, d)):
                 os.mkdir(pjoin(nbdir, d))
 
         for d, name in self.dirs_nbs:
+            d = d.replace('/', os.path.sep)
             with io.open(pjoin(nbdir, d, '%s.ipynb' % name), 'w') as f:
                 nb = new_notebook(name=name)
                 write(nb, f, format='ipynb')
@@ -309,4 +311,4 @@ class APITest(NotebookTestBase):
         self.assertEqual(r.status_code, 204)
         cps = self.nb_api.get_checkpoints('a.ipynb', 'foo').json()
         self.assertEqual(cps, [])
-    
+
diff --git a/IPython/html/tests/test_files.py b/IPython/html/tests/test_files.py
new file mode 100644
index 0000000..f2e85c2
--- /dev/null
+++ b/IPython/html/tests/test_files.py
@@ -0,0 +1,52 @@
+# coding: utf-8
+"""Test the /files/ handler."""
+
+import io
+import os
+from unicodedata import normalize
+
+pjoin = os.path.join
+
+import requests
+
+from IPython.html.utils import url_path_join
+from .launchnotebook import NotebookTestBase
+from IPython.utils import py3compat
+
+class FilesTest(NotebookTestBase):
+    def test_hidden_files(self):
+        not_hidden = [
+            u'å b',
+            pjoin(u'å b/ç. d')
+        ]
+        hidden = [
+            u'.å b',
+            pjoin(u'å b/.ç d')
+        ]
+        dirs = not_hidden + hidden
+        
+        nbdir = self.notebook_dir.name
+        for d in dirs:
+            path = pjoin(nbdir, d.replace('/', os.path.sep))
+            if not os.path.exists(path):
+                os.mkdir(path)
+            with io.open(pjoin(path, 'foo'), 'w', encoding='utf8') as f:
+                f.write(path)
+            with io.open(pjoin(path, '.foo'), 'w', encoding='utf8') as f:
+                f.write(path + '.foo')
+        url = self.base_url()
+        
+        for d in not_hidden:
+            path = pjoin(nbdir, d.replace('/', os.path.sep))
+            r = requests.get(url_path_join(url, 'files', d, 'foo'))
+            r.raise_for_status()
+            reply = py3compat.cast_unicode(r.content)
+            self.assertEqual(normalize('NFC', path), normalize('NFC', reply))
+            r = requests.get(url_path_join(url, 'files', d, '.foo'))
+            self.assertEqual(r.status_code, 403)
+            
+        for d in hidden:
+            path = pjoin(nbdir, d.replace('/', os.path.sep))
+            for foo in ('foo', '.foo'):
+                r = requests.get(url_path_join(url, 'files', d, foo))
+                self.assertEqual(r.status_code, 403)