An error when i switched from python v2.6.6 => v3.2.3

Ian Kelly ian.g.kelly at gmail.com
Fri Mar 8 21:01:59 CET 2013


On Fri, Mar 8, 2013 at 12:19 PM,  <info at cravendot.gr> wrote:
> I dare anyone who wants to to mess with 'htmlpage' variable value's now!
>
> I made it unhackable i believe!
>
> I'am testing it myself 3 hours now and find it safe!
>
> Please feel free to try also!

Okay, done.  I was still able to read your source files, and I was
still able to write a file to your webserver.  All I had to do was
change 'htmlpage' to 'page' in the example URLs I sent you before.
Validating the 'htmlpage' field does nothing if you also switch the
dispatch to the 'page' field.

And as far as the validation goes, from what I can see in the source,
it looks like you're just checking whether the string '.html' appears
in it somewhere.  It's not hard at all to craft a malicious page
request that meets that.

As a start, try checking that the file actually exists before doing
anything with it, and that it is in one of the directories used by
your web server.



More information about the Python-list mailing list