Python cross-site scripting exploits?
Robin Becker
robin at jessikat.fsnet.co.uk
Thu May 23 10:10:42 EDT 2002
In article <slrnaept7v.32d.akuchlin at ute.mems-exchange.org>, A.M.
Kuchling <akuchlin at ute.mems-exchange.org> writes
>In article <DuIBcWA5WK78Ewyc at jessikat.fsnet.co.uk>,
> Robin Becker wrote:
>> The alleged fix seems to involve more complete argument checking, is
>> that required for any such defence? What should the request response be?
>
>CSRF attacks have nothing to do with eval() or compile(), but by
>including untrusted bits of text in HTML output without escaping them.
>This means that if someone manages to input <script>...javascript
>code...</script> into the program (perhaps by putting it in their CVS
>checkin message), someone who comes along and views the page later
>will end up running that JavaScript code.
>
>The solution is difficult: you just have to be very careful to always
>escape text of unknown provenance that's in HTML.
>
>--amk
>
that was my first guess ie viewCVS by its nature has the URL appearing
on the returned page (possibly more than once). Clearly the correct bit
of URL has only acceptable characters and known arguments. If these are
not well formed then presumably an error should be raised. I suppose
lib/cgi.py doesn't have a safe mode where you can tell it the allowed
argument structure for GET type requests :(
--
Robin Becker
More information about the Python-list
mailing list