diff --git a/reviewboard/admin/security_checks.py b/reviewboard/admin/security_checks.py index 9f029e8ac5b4f084fbb00a50d800f7c749fcdef2..b7068ddbd53fb7b8dd2bcad6b70d0bf0a2081730 100644 --- a/reviewboard/admin/security_checks.py +++ b/reviewboard/admin/security_checks.py @@ -74,6 +74,8 @@ class BaseExecutableFileCheck(BaseSecurityCheck): if self._using_default_storage(): for i, file_check in enumerate(self.file_checks): extensions_list, content = file_check + assert isinstance(content, bytes) + bad_extensions = set() for ext in extensions_list: @@ -183,41 +185,41 @@ class ServerExecutableFileCheck(BaseExecutableFileCheck): ( ['.php', '.php3', '.php4', '.php5', '.phps', '.phtml', '.phtm'], - '' + b'' ), ( ['.pl', '.py'], - 'print "Hello, World!"' + b'print "Hello, World!"' ), ( ['.html', '.htm', '.shtml', '.pht'], - ('\n' - '\n' - 'Hello, world!\n' - '\n' - '\n' - '

Hello, world!

\n' - '\n' - '\n' - '\n' - '') + (b'\n' + b'\n' + b'Hello, world!\n' + b'\n' + b'\n' + b'

Hello, world!

\n' + b'\n' + b'\n' + b'\n' + b'') ), ( ['.jsp'], - '<%= new String("Hello!") %>' + b'<%= new String("Hello!") %>' ), ( ['.asp'], - '<%="Hello World!"%>' + b'<%="Hello World!"%>' ), ( ['.fcgi', '.cgi', '.sh'], - ('#!/bin/sh\n' - 'echo "Hello World!"') + (b'#!/bin/sh\n' + b'echo "Hello World!"') ), ( ['.rb'], - 'puts "Hello world!"' + b'puts "Hello world!"' ) ] @@ -254,7 +256,7 @@ class ServerExecutableFileCheck(BaseExecutableFileCheck): else: raise e - with self.storage.open(filename, 'r') as f: + with self.storage.open(filename, 'rb') as f: return data == f.read() @@ -288,20 +290,20 @@ class BrowserExecutableFileCheck(BaseExecutableFileCheck): self.file_checks = [ ( ['.htm', '.html', '.shtml', '.stm', '.shtm'], - '', + b'', ), ( ['.svg'], - '' - ' ' - '', + b'' + b' ' + b'', ), ( ['.svgz'], zlib.compress( - '' - ' ' - '', + b'' + b' ' + b'', ), ), ]