From a14d321f1c6152d42341db206d63bbb8b123a327 2013-10-22 22:23:46 From: MinRK Date: 2013-10-22 22:23:46 Subject: [PATCH] test /files/ gives 403 on hidden files --- diff --git a/IPython/html/services/notebooks/tests/test_notebooks_api.py b/IPython/html/services/notebooks/tests/test_notebooks_api.py index 9b68169..9f3648d 100644 --- a/IPython/html/services/notebooks/tests/test_notebooks_api.py +++ b/IPython/html/services/notebooks/tests/test_notebooks_api.py @@ -102,10 +102,12 @@ class APITest(NotebookTestBase): nbdir = self.notebook_dir.name for d in self.dirs: + d.replace('/', os.path.sep) if not os.path.isdir(pjoin(nbdir, d)): os.mkdir(pjoin(nbdir, d)) for d, name in self.dirs_nbs: + d = d.replace('/', os.path.sep) with io.open(pjoin(nbdir, d, '%s.ipynb' % name), 'w') as f: nb = new_notebook(name=name) write(nb, f, format='ipynb') @@ -309,4 +311,4 @@ class APITest(NotebookTestBase): self.assertEqual(r.status_code, 204) cps = self.nb_api.get_checkpoints('a.ipynb', 'foo').json() self.assertEqual(cps, []) - + diff --git a/IPython/html/tests/test_files.py b/IPython/html/tests/test_files.py new file mode 100644 index 0000000..f2e85c2 --- /dev/null +++ b/IPython/html/tests/test_files.py @@ -0,0 +1,52 @@ +# coding: utf-8 +"""Test the /files/ handler.""" + +import io +import os +from unicodedata import normalize + +pjoin = os.path.join + +import requests + +from IPython.html.utils import url_path_join +from .launchnotebook import NotebookTestBase +from IPython.utils import py3compat + +class FilesTest(NotebookTestBase): + def test_hidden_files(self): + not_hidden = [ + u'å b', + pjoin(u'å b/ç. d') + ] + hidden = [ + u'.å b', + pjoin(u'å b/.ç d') + ] + dirs = not_hidden + hidden + + nbdir = self.notebook_dir.name + for d in dirs: + path = pjoin(nbdir, d.replace('/', os.path.sep)) + if not os.path.exists(path): + os.mkdir(path) + with io.open(pjoin(path, 'foo'), 'w', encoding='utf8') as f: + f.write(path) + with io.open(pjoin(path, '.foo'), 'w', encoding='utf8') as f: + f.write(path + '.foo') + url = self.base_url() + + for d in not_hidden: + path = pjoin(nbdir, d.replace('/', os.path.sep)) + r = requests.get(url_path_join(url, 'files', d, 'foo')) + r.raise_for_status() + reply = py3compat.cast_unicode(r.content) + self.assertEqual(normalize('NFC', path), normalize('NFC', reply)) + r = requests.get(url_path_join(url, 'files', d, '.foo')) + self.assertEqual(r.status_code, 403) + + for d in hidden: + path = pjoin(nbdir, d.replace('/', os.path.sep)) + for foo in ('foo', '.foo'): + r = requests.get(url_path_join(url, 'files', d, foo)) + self.assertEqual(r.status_code, 403)