An error when i switched from python v2.6.6 => v3.2.3

Ian Kelly ian.g.kelly at gmail.com
Fri Mar 8 21:04:58 CET 2013


On Fri, Mar 8, 2013 at 1:01 PM, Ian Kelly <ian.g.kelly at gmail.com> wrote:
> On Fri, Mar 8, 2013 at 12:19 PM,  <info at cravendot.gr> wrote:
>> I dare anyone who wants to to mess with 'htmlpage' variable value's now!
>>
>> I made it unhackable i believe!
>>
>> I'am testing it myself 3 hours now and find it safe!
>>
>> Please feel free to try also!
>
> Okay, done.  I was still able to read your source files, and I was
> still able to write a file to your webserver.  All I had to do was
> change 'htmlpage' to 'page' in the example URLs I sent you before.
> Validating the 'htmlpage' field does nothing if you also switch the
> dispatch to the 'page' field.
>
> And as far as the validation goes, from what I can see in the source,
> it looks like you're just checking whether the string '.html' appears
> in it somewhere.  It's not hard at all to craft a malicious page
> request that meets that.
>
> As a start, try checking that the file actually exists before doing
> anything with it, and that it is in one of the directories used by
> your web server.

os.path.isfile will help with the former, while os.path.realname and
os.path.dirname will help with the latter.



More information about the Python-list mailing list