zerver: Block access to subdirectories when visiting user docs articles.

Fixes #6770
2017-10-02 10:51:17 -07:00 · 2017-10-02 10:51:17 -07:00 · cfeb125624
parent ea75772a01
commit cfeb125624
2 changed files with 5 additions and 1 deletions
--- a/zerver/tests/test_urls.py
+++ b/zerver/tests/test_urls.py
@ -47,7 +47,7 @@ class PublicURLTest(ZulipTestCase):
                          "/json/messages",
                          "/api/v1/streams",
                          ],
-                    404: ["/help/nonexistent"],
+                    404: ["/help/nonexistent", "/help/include/admin"],
                    }

        # Add all files in 'templates/zerver/help' directory (except for 'main.html' and
--- a/zerver/views/integrations.py
+++ b/zerver/views/integrations.py
@ -56,6 +56,8 @@ class HelpView(ApiURLView):
        # type: (str) -> str
        if article == "":
            article = "index"
+        elif "/" in article:
+            article = "missing"
        return self.path_template % (article,)

    def get_context_data(self, **kwargs):
@ -83,6 +85,8 @@ class HelpView(ApiURLView):
        except loader.TemplateDoesNotExist:
            # Ensure a 404 response code if no such document
            result.status_code = 404
+        if "/" in article:
+            result.status_code = 404
        return result