An error when i switched from python v2.6.6 => v3.2.3
ian.g.kelly at gmail.com
Fri Mar 8 21:04:58 CET 2013
On Fri, Mar 8, 2013 at 1:01 PM, Ian Kelly <ian.g.kelly at gmail.com> wrote:
> On Fri, Mar 8, 2013 at 12:19 PM, <info at cravendot.gr> wrote:
>> I dare anyone who wants to to mess with 'htmlpage' variable value's now!
>> I made it unhackable i believe!
>> I'am testing it myself 3 hours now and find it safe!
>> Please feel free to try also!
> Okay, done. I was still able to read your source files, and I was
> still able to write a file to your webserver. All I had to do was
> change 'htmlpage' to 'page' in the example URLs I sent you before.
> Validating the 'htmlpage' field does nothing if you also switch the
> dispatch to the 'page' field.
> And as far as the validation goes, from what I can see in the source,
> it looks like you're just checking whether the string '.html' appears
> in it somewhere. It's not hard at all to craft a malicious page
> request that meets that.
> As a start, try checking that the file actually exists before doing
> anything with it, and that it is in one of the directories used by
> your web server.
os.path.isfile will help with the former, while os.path.realname and
os.path.dirname will help with the latter.
More information about the Python-list