[ARVADOS] updated: 1.1.0-21-g1a6a840

Git user git at public.curoverse.com
Sun Oct 15 13:18:44 EDT 2017 

Summary of changes:
 services/keep-web/handler.go      | 26 ++++++++++++++------------
 services/keep-web/handler_test.go | 14 +++++++++++++-
 2 files changed, 27 insertions(+), 13 deletions(-)

       via  1a6a840d3bad6c28d8fa4c04a7610fbb8bf8423f (commit)
      from  991d7d7967cef46bf5aebf95f946e3072aa1e933 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 1a6a840d3bad6c28d8fa4c04a7610fbb8bf8423f
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Sun Oct 15 13:17:06 2017 -0400

    12216: Fix crash at path "/c=foo"
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index ab04568..653a501 100644
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -346,7 +346,10 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	basename := targetPath[len(targetPath)-1]
+	var basename string
+	if len(targetPath) > 0 {
+		basename = targetPath[len(targetPath)-1]
+	}
 	applyContentDispositionHdr(w, r, basename, attachment)
 
 	fs := collection.FileSystem(&arvados.Client{
@@ -386,7 +389,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 		// ".../dirname/". This way, relative links in the
 		// listing for "dirname" can always be "fnm", never
 		// "dirname/fnm".
-		h.seeOtherWithCookie(w, r, basename+"/", credentialsOK)
+		h.seeOtherWithCookie(w, r, r.URL.Path+"/", credentialsOK)
 	} else if stat.IsDir() {
 		h.serveDirectory(w, r, collection.Name, fs, openPath, stripParts)
 	} else {
@@ -547,16 +550,16 @@ func applyContentDispositionHdr(w http.ResponseWriter, r *http.Request, filename
 }
 
 func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, location string, credentialsOK bool) {
-	if !credentialsOK {
-		// It is not safe to copy the provided token
-		// into a cookie unless the current vhost
-		// (origin) serves only a single collection or
-		// we are in TrustAllContent mode.
-		w.WriteHeader(http.StatusBadRequest)
-		return
-	}
-
 	if formToken := r.FormValue("api_token"); formToken != "" {
+		if !credentialsOK {
+			// It is not safe to copy the provided token
+			// into a cookie unless the current vhost
+			// (origin) serves only a single collection or
+			// we are in TrustAllContent mode.
+			w.WriteHeader(http.StatusBadRequest)
+			return
+		}
+
 		// The HttpOnly flag is necessary to prevent
 		// JavaScript code (included in, or loaded by, a page
 		// in the collection being served) from employing the
@@ -568,7 +571,6 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc
 		// bar, and in the case of a POST request to avoid
 		// raising warnings when the user refreshes the
 		// resulting page.
-
 		http.SetCookie(w, &http.Cookie{
 			Name:     "arvados_api_token",
 			Value:    auth.EncodeTokenCookie([]byte(formToken)),
diff --git a/services/keep-web/handler_test.go b/services/keep-web/handler_test.go
index 190554d..a670997 100644
--- a/services/keep-web/handler_test.go
+++ b/services/keep-web/handler_test.go
@@ -529,6 +529,18 @@ func (s *IntegrationSuite) TestDirectoryListing(c *check.C) {
 			cutDirs: 2,
 		},
 		{
+			uri:     "collections.example.com/c=" + arvadostest.FooAndBarFilesInDirUUID + "/t=" + arvadostest.ActiveToken,
+			header:  nil,
+			expect:  []string{"dir1/foo", "dir1/bar"},
+			cutDirs: 2,
+		},
+		{
+			uri:     "download.example.com/c=" + arvadostest.FooAndBarFilesInDirUUID,
+			header:  authHeader,
+			expect:  []string{"dir1/foo", "dir1/bar"},
+			cutDirs: 1,
+		},
+		{
 			uri:     "download.example.com/c=" + arvadostest.FooAndBarFilesInDirUUID + "/dir1/",
 			header:  authHeader,
 			expect:  []string{"foo", "bar"},
@@ -571,7 +583,7 @@ func (s *IntegrationSuite) TestDirectoryListing(c *check.C) {
 				Host:       u.Host,
 				URL:        u,
 				RequestURI: u.RequestURI(),
-				Header:     http.Header{},
+				Header:     trial.header,
 			}
 			cookies = append(cookies, (&http.Response{Header: resp.Header()}).Cookies()...)
 			for _, c := range cookies {

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list