CGI Tutorial

Clodoaldo Pinto Neto clodoaldo.pinto at gmail.com
Fri Oct 6 22:56:42 CEST 2006


and-google at doxdesk.com wrote:
> Clodoaldo Pinto Neto wrote:
>
> > print '<p>The submited name was "' + name + '"</p>'
>
> Bzzt! Script injection security hole. See cgi.escape and use it (or a
> similar function) for *all* text -> HTML output.
>
> > open('files/' + fileitem.filename, 'w')
>
> BZZZZZZT. filesystem overwriting security hole, possibly escalatable to
> code execution. clue: fileitem.filename= '../../something.py'

Do you think os.path.basename() is good enough?
========================
#!/usr/bin/env python
import cgi, os.path

form = cgi.FieldStorage()
fileitem = form['file']
fn = fileitem.filename
fnb = os.path.basename(fn)

print """\
Content-Type: text/plain\n
filename = "%s"
basename = "%s"
""" % (fn, fnb)
========================

[cpn at dkt ~]$ nc teste.s0 80
POST /cgi-bin/dir_traversal.py HTTP/1.1
Host: teste.s0
Content-Type: multipart/form-data;
boundary=---------------------------170451527316340742161395972977
Content-Length: 226

-----------------------------170451527316340742161395972977
Content-Disposition: form-data; name="file"; filename="../test.txt"
Content-Type: text/plain

file text

-----------------------------170451527316340742161395972977--
HTTP/1.1 200 OK
Date: Fri, 06 Oct 2006 20:48:58 GMT
Server: Apache/2.2.2 (Fedora)
Content-Length: 48
Content-Type: text/plain; charset=UTF-8

filename = "../test.txt"
basename = "test.txt"


Regards, Clodoaldo




More information about the Python-list mailing list