File 0002-Raise-error-for-allow-sandbox-when-no-base_url-is-pr.patch of Package python-xmlschema

From 3b4e2631b6fb690b145f288d715ce0720ce76b93 Mon Sep 17 00:00:00 2001
From: Daniel Hillier <daniel.hillier@gmail.com>
Date: Wed, 3 Jun 2020 13:49:07 +1000
Subject: [PATCH 2/4] Raise error for allow="sandbox" when no base_url is
 provided.

Previously when base_url is None it had the behaviour of "local". This
will help people not to forget to supply base_url when using "sandbox".

(cherry picked from commit e0aa7f92482a2732ff0e63239bfb5f8c941d8af7)
---
 xmlschema/resources.py            |  6 +++++-
 xmlschema/tests/test_resources.py | 11 ++++++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/xmlschema/resources.py b/xmlschema/resources.py
index 52dff6f..d4f07ac 100644
--- a/xmlschema/resources.py
+++ b/xmlschema/resources.py
@@ -348,9 +348,13 @@ class XMLResource(object):
             raise XMLSchemaResourceError("block access to local resource {}".format(url))
         elif is_remote_url(url):
             raise XMLSchemaResourceError("block access to remote resource {}".format(url))
-        elif self.allow == 'local' or self._base_url is None:
+        elif self.allow == 'local':
             return
         else:
+            if self._base_url is None:
+                raise XMLSchemaResourceError(
+                    "block access to files out of sandbox requires 'base_url' to be set"
+                )
             path = os.path.normpath(os.path.normcase(urlsplit(url).path))
             base_path = os.path.normpath(os.path.normcase(urlsplit(self._base_url).path))
             if not path.startswith(base_path):
diff --git a/xmlschema/tests/test_resources.py b/xmlschema/tests/test_resources.py
index 28fde20..c8264c5 100644
--- a/xmlschema/tests/test_resources.py
+++ b/xmlschema/tests/test_resources.py
@@ -383,7 +383,9 @@ class TestResources(unittest.TestCase):
         base_url = resource.base_url
 
         XMLResource(self.vh_xml_file, allow='local')
-        XMLResource(self.vh_xml_file, allow='sandbox')
+        XMLResource(
+            self.vh_xml_file, base_url=os.path.dirname(self.vh_xml_file), allow='sandbox'
+        )
 
         with self.assertRaises(XMLSchemaResourceError) as ctx:
             XMLResource(self.vh_xml_file, allow='remote')
@@ -399,6 +401,13 @@ class TestResources(unittest.TestCase):
         self.assertEqual(str(ctx.exception),
                          "block access to remote resource https://xmlschema.test/vehicles.xsd")
 
+        with self.assertRaises(XMLSchemaResourceError) as ctx:
+            XMLResource("/tmp/vehicles.xsd", allow='sandbox')
+        self.assertEqual(
+            str(ctx.exception),
+            "block access to files out of sandbox requires 'base_url' to be set",
+        )
+
         with self.assertRaises(XMLSchemaResourceError) as ctx:
             XMLResource("/tmp/vehicles.xsd", base_url=base_url, allow='sandbox')
         self.assertEqual(str(ctx.exception),
-- 
2.29.2

openSUSE Build Service is sponsored by