Merge "Subtle change to tempurl content-disposition names"

2013-05-30 19:18:10 +00:00 · 2013-05-30 19:18:10 +00:00 · 00f5d327ca
commit 00f5d327ca
parent 2c9aee55fb 8d681f0618
2 changed files with 40 additions and 2 deletions
--- a/swift/common/middleware/tempurl.py
+++ b/swift/common/middleware/tempurl.py
@ -291,11 +291,11 @@ class TempURL(object):
                                   if h.lower() != 'content-disposition')
                    already = False
                if not already:
+                    name = filename or basename(env['PATH_INFO'].rstrip('/'))
                    headers.append((
                        'Content-Disposition',
                        'attachment; filename="%s"' % (
-                            filename or
-                            basename(env['PATH_INFO'])).replace('"', '\\"')))
+                            name.replace('"', '\\"'))))
            return start_response(status, headers, exc_info)

        return self.app(env, _start_response)
--- a/test/unit/common/middleware/test_tempurl.py
+++ b/test/unit/common/middleware/test_tempurl.py
@ -160,6 +160,44 @@ class TestTempURL(unittest.TestCase):
        self.assertEquals(req.environ['swift.authorize_override'], True)
        self.assertEquals(req.environ['REMOTE_USER'], '.wsgi.tempurl')

+    def test_obj_trailing_slash(self):
+        method = 'GET'
+        expires = int(time() + 86400)
+        path = '/v1/a/c/o/'
+        key = 'abc'
+        hmac_body = '%s\n%s\n%s' % (method, expires, path)
+        sig = hmac.new(key, hmac_body, sha1).hexdigest()
+        req = self._make_request(path, environ={
+            'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
+                sig, expires)})
+        req.environ['swift.cache'].set('temp-url-keys/a', [key])
+        self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')]))
+        resp = req.get_response(self.tempurl)
+        self.assertEquals(resp.status_int, 200)
+        self.assertEquals(resp.headers['content-disposition'],
+                          'attachment; filename="o"')
+        self.assertEquals(req.environ['swift.authorize_override'], True)
+        self.assertEquals(req.environ['REMOTE_USER'], '.wsgi.tempurl')
+
+    def test_filename_trailing_slash(self):
+        method = 'GET'
+        expires = int(time() + 86400)
+        path = '/v1/a/c/o'
+        key = 'abc'
+        hmac_body = '%s\n%s\n%s' % (method, expires, path)
+        sig = hmac.new(key, hmac_body, sha1).hexdigest()
+        req = self._make_request(path, environ={
+            'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s&'
+            'filename=/i/want/this/just/as/it/is/' % (sig, expires)})
+        req.environ['swift.cache'].set('temp-url-keys/a', [key])
+        self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')]))
+        resp = req.get_response(self.tempurl)
+        self.assertEquals(resp.status_int, 200)
+        self.assertEquals(resp.headers['content-disposition'],
+                          'attachment; filename="/i/want/this/just/as/it/is/"')
+        self.assertEquals(req.environ['swift.authorize_override'], True)
+        self.assertEquals(req.environ['REMOTE_USER'], '.wsgi.tempurl')
+
    def test_get_valid_but_404(self):
        method = 'GET'
        expires = int(time() + 86400)