Handle excessively long paths

2024-06-06 18:06:44 +10:00 · 2024-06-06 18:06:44 +10:00 · 31fa3694ea
commit 31fa3694ea
parent 52d72eb554
2 changed files with 14 additions and 4 deletions
--- a/conservancy/tests.py
+++ b/conservancy/tests.py
@ -55,3 +55,9 @@ def test_path_traversal_404s(rf):
    request = rf.get('/about/../../../conservancy-website.sqlite3')
    with pytest.raises(Http404):
        views.content(request)
+
+
+def test_long_path_404s(rf):
+    request = rf.get('x' * 1000)
+    with pytest.raises(Http404):
+        views.content(request)
--- a/conservancy/views.py
+++ b/conservancy/views.py
@ -52,11 +52,15 @@ def content(request, *args, **kwargs):
        path += 'index.html'
    full_path = (base_path / path).resolve()
    safe_from_path_traversal = full_path.is_relative_to(base_path)
+    try:
        if full_path.is_dir():
            # Should have been accessed with a trailing slash.
            return HttpResponseRedirect(request.path + '/')
        elif not full_path.exists() or not safe_from_path_traversal:
            raise Http404()
+    except OSError:
+        # eg. path is too long
+        raise Http404()
    is_template = mimetypes.guess_type(full_path)[0] == 'text/html'
    if not is_template:
        return FileResponse(open(full_path, 'rb'))