From: Evan Broder Date: Mon, 7 Apr 2008 00:08:04 +0000 (-0400) Subject: Validate the locker name before using it for anything X-Git-Tag: sipb-xen-www/3.4~56 X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/commitdiff_plain/6615e67c6de090b18e33aa77e87255bd9f65d9a9?ds=inline Validate the locker name before using it for anything svn path=/trunk/packages/sipb-xen-www/; revision=408 --- diff --git a/code/getafsgroups.py b/code/getafsgroups.py index 899de81..9e0f31f 100644 --- a/code/getafsgroups.py +++ b/code/getafsgroups.py @@ -1,6 +1,7 @@ #!/usr/bin/python import pprint import subprocess +from webcommon import InvalidInput # import ldap # l = ldap.open("W92-130-LDAP-2.mit.edu") @@ -34,6 +35,11 @@ def getAfsGroupMembers(group, cell): return [] return [line.strip() for line in p.stdout.readlines()[1:]] +def getLockerPath(locker): + if '/' in locker or locker in ['.', '..']: + raise InvalidInput('owner', locker, 'Locker name is invalid.') + return '/mit/' + locker + def checkAfsGroup(user, group, cell): """ checkAfsGroup(user, group) returns True if and only if user is in AFS group group in cell cell @@ -41,14 +47,14 @@ def checkAfsGroup(user, group, cell): return user in getAfsGroupMembers(group, cell) def getCell(locker): - p = subprocess.Popen(["fs", "whichcell", "/mit/" + locker], + p = subprocess.Popen(["fs", "whichcell", getLockerPath(locker)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) if p.wait(): raise MyException(p.stderr.read()) return p.stdout.read().split()[-1][1:-1] def getLockerAcl(locker): - p = subprocess.Popen(["fs", "listacl", "/mit/" + locker], + p = subprocess.Popen(["fs", "listacl", getLockerPath(locker)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) if p.wait(): raise MyException(p.stderr.read()) @@ -58,7 +64,7 @@ def getLockerAcl(locker): fields = line.split() if fields[0] == 'Negative': break - if 'rlidwka' in fields[1]: + if 'a' in fields[1]: values.append(fields[0]) return values @@ -79,7 +85,7 @@ def notLockerOwner(user, locker): if entry == user or (entry[0:6] == "system" and checkAfsGroup(user, entry, cell)): return False - return "You don't have admin bits on /mit/" + locker + return "You don't have admin bits on " + getLockerPath(locker) if __name__ == "__main__": diff --git a/code/main.py b/code/main.py index ebbd7dd..8204fb4 100755 --- a/code/main.py +++ b/code/main.py @@ -448,7 +448,7 @@ The administrator field determines who can access the console and power on and off the machine. This can be either a user or a moira group.""", quotas=""" -Quotas are determined on a per-locker basis. Each quota may have a +Quotas are determined on a per-locker basis. Each locker may have a maximum of 512 megabytes of active ram, 50 gigabytes of disk, and 4 active machines.""", console="""