An error when i switched from python v2.6.6 => v3.2.3
nagia.retsina at gmail.com
nagia.retsina at gmail.com
Fri Mar 8 22:15:08 EST 2013
Τη Σάββατο, 9 Μαρτίου 2013 2:26:56 π.μ. UTC+2, ο χρήστης Ian έγραψε:
> On Fri, Mar 8, 2013 at 1:31 PM, Νίκος Γκρ33κ <nikos.gr33k at gmail.com> wrote:
>
> > Thank you very much for pointing my flaws once again!
>
> >
>
> > I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!
>
> >
>
> > I have added extra security by following some of your advice, i wonder if youc an hack it again!
>
> >
>
> > Fell free to try if i'am not tiring you please!
>
>
>
> That seems to be better, although I want to stress that I did not try
>
> very hard. It's possible that somebody with more patience and
>
> imagination than myself might still find a way to fool your
>
> validation.
I'am glad the script has been made more secure after of course you enilghten me and i followed your advice. Here is what i did:
# detect how 'index.html' is called and validate values of 'htmlpage' & 'page'
if page and os.path.isfile( '/home/nikos/www/cgi-bin/' + page ):
page = page
elif form.getvalue('show') and os.path.isfile( htmlpage ):
page = htmlpage.replace( '/home/nikos/public_html/', '' )
else:
page = 'index.html'
Now that you have the if structure's logic can you *still* fool the script?
More information about the Python-list
mailing list