-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
btw.: ...is the pywikipedia framework's
'getUrl' safe in this
sence?
Just for information: no it is not! The following works:
>> print
site.getUrl("file:///etc/passwd", no_hostname = True)
(this could be an issue for other homebrew bots blindly count on the
framework... may be... ;)
I would check that xslt is only composed by
alphanumeric
characters* and do something like "/home/drtrigon/xslt/" + xslt +
".xslt" (this ensures there's no ../ and doesn't contain \0)
I considered this solution, since it sounded to be very easy. BUT the
check for alphanum does exclude all files with '-' or '_'. Thus I
decided to use my proposal. As far as I can see this does protect from
'../' and '\0' in the path of the xslt file also - but please correct
me if I am wrong here (and you have a scenario where this breaks down).
Also, I'm not sure if urllib.open() works with
file:// urls, but
I'd verify it's a http or https url .
Or prepending http:// if the input doesn't start
with http://
Looking at the first 4 bytes of the string does not
involve any
python or implementation specific party.
Obvious solutions are better then magical ones.
So I implemented a list and check the first chars from url string
against this list in order to be sure nothing bad goes on here.
The full code (for python-gurus) is given here:
########################################
# security
# check url not to point to a local file on the server, e.g. 'file://'
s1 = False
for item in ['http://', 'https://']:
s1 = s1 or (url[:len(item)] == item)
# check xslt does point to allowed local files on the server (the
# '.xslt' in same directory as script) and not any other, e.g. '../'
import os
allowed = [item for item in os.listdir('.') if '.xslt' in item]
s2 = (xslt in allowed)
secure = s1 and s2
########################################
if secure=False the default starting page will be displayed, as if
nothing happened (which is actually the case).
Can somebody (may be DaB) confirm if this is ok? Or still to weak?
Thanks a lot for all your help, hints and participation!!
Greetings to all!
DrTrigon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAk5uOCcACgkQAXWvBxzBrDBrHACg5TSPNWUeBepKn4nUrR0kEjl6
274AmwQais0orusLgGJM5c7FrxsXSxgh
=/NWE
-----END PGP SIGNATURE-----