File 0002-Raise-error-for-allow-sandbox-when-no-base_url-is-pr.patch of Package python-xmlschema
From 3b4e2631b6fb690b145f288d715ce0720ce76b93 Mon Sep 17 00:00:00 2001
From: Daniel Hillier <daniel.hillier@gmail.com>
Date: Wed, 3 Jun 2020 13:49:07 +1000
Subject: [PATCH 2/4] Raise error for allow="sandbox" when no base_url is
provided.
Previously when base_url is None it had the behaviour of "local". This
will help people not to forget to supply base_url when using "sandbox".
(cherry picked from commit e0aa7f92482a2732ff0e63239bfb5f8c941d8af7)
---
xmlschema/resources.py | 6 +++++-
xmlschema/tests/test_resources.py | 11 ++++++++++-
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/xmlschema/resources.py b/xmlschema/resources.py
index 52dff6f..d4f07ac 100644
--- a/xmlschema/resources.py
+++ b/xmlschema/resources.py
@@ -348,9 +348,13 @@ class XMLResource(object):
raise XMLSchemaResourceError("block access to local resource {}".format(url))
elif is_remote_url(url):
raise XMLSchemaResourceError("block access to remote resource {}".format(url))
- elif self.allow == 'local' or self._base_url is None:
+ elif self.allow == 'local':
return
else:
+ if self._base_url is None:
+ raise XMLSchemaResourceError(
+ "block access to files out of sandbox requires 'base_url' to be set"
+ )
path = os.path.normpath(os.path.normcase(urlsplit(url).path))
base_path = os.path.normpath(os.path.normcase(urlsplit(self._base_url).path))
if not path.startswith(base_path):
diff --git a/xmlschema/tests/test_resources.py b/xmlschema/tests/test_resources.py
index 28fde20..c8264c5 100644
--- a/xmlschema/tests/test_resources.py
+++ b/xmlschema/tests/test_resources.py
@@ -383,7 +383,9 @@ class TestResources(unittest.TestCase):
base_url = resource.base_url
XMLResource(self.vh_xml_file, allow='local')
- XMLResource(self.vh_xml_file, allow='sandbox')
+ XMLResource(
+ self.vh_xml_file, base_url=os.path.dirname(self.vh_xml_file), allow='sandbox'
+ )
with self.assertRaises(XMLSchemaResourceError) as ctx:
XMLResource(self.vh_xml_file, allow='remote')
@@ -399,6 +401,13 @@ class TestResources(unittest.TestCase):
self.assertEqual(str(ctx.exception),
"block access to remote resource https://xmlschema.test/vehicles.xsd")
+ with self.assertRaises(XMLSchemaResourceError) as ctx:
+ XMLResource("/tmp/vehicles.xsd", allow='sandbox')
+ self.assertEqual(
+ str(ctx.exception),
+ "block access to files out of sandbox requires 'base_url' to be set",
+ )
+
with self.assertRaises(XMLSchemaResourceError) as ctx:
XMLResource("/tmp/vehicles.xsd", base_url=base_url, allow='sandbox')
self.assertEqual(str(ctx.exception),
--
2.29.2