Test that incoming paths cannot contain /../

author: Tommi Virtanen <tv@eagain.net> 2008-03-19 21:28:46 +0200
committer: Tommi Virtanen <tv@eagain.net> 2008-03-19 21:28:46 +0200
commit: f7bcd554fae642585af5f99c3c858eb2d343e1da (patch)
tree: d6c9195fa70b8376b2c5cb2cc491f7a69d325660
parent: Show alternate gitweb.conf access control config. (diff)
download: gitosis-dakkar-f7bcd554fae642585af5f99c3c858eb2d343e1da.tar.gz
gitosis-dakkar-f7bcd554fae642585af5f99c3c858eb2d343e1da.tar.bz2
gitosis-dakkar-f7bcd554fae642585af5f99c3c858eb2d343e1da.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/gitosis/test/test_serve.py b/gitosis/test/test_serve.py
index d6030d2..cf54cc6 100644
--- a/gitosis/test/test_serve.py
+++ b/gitosis/test/test_serve.py
@@ -57,6 +57,18 @@ def test_bad_unsafeArguments():
     eq(str(e), 'Arguments to command look dangerous')
     assert isinstance(e, serve.ServingError)
 
+def test_bad_unsafeArguments_dotdot():
+    cfg = RawConfigParser()
+    e = assert_raises(
+        serve.UnsafeArgumentsError,
+        serve.serve,
+        cfg=cfg,
+        user='jdoe',
+        command='git-upload-pack something/../evil',
+        )
+    eq(str(e), 'Arguments to command look dangerous')
+    assert isinstance(e, serve.ServingError)
+
 def test_bad_forbiddenCommand_read():
     cfg = RawConfigParser()
     e = assert_raises(
author	Tommi Virtanen <tv@eagain.net>	2008-03-19 21:28:46 +0200
committer	Tommi Virtanen <tv@eagain.net>	2008-03-19 21:28:46 +0200
commit	f7bcd554fae642585af5f99c3c858eb2d343e1da (patch)
tree	d6c9195fa70b8376b2c5cb2cc491f7a69d325660
parent	Show alternate gitweb.conf access control config. (diff)
download	gitosis-dakkar-f7bcd554fae642585af5f99c3c858eb2d343e1da.tar.gz gitosis-dakkar-f7bcd554fae642585af5f99c3c858eb2d343e1da.tar.bz2 gitosis-dakkar-f7bcd554fae642585af5f99c3c858eb2d343e1da.zip