Dr. Trigon wrote:
Sorry for the inconveniences I caused here!
What is exactly the critical point you are mentioning? Do I understand you right and would inserting the code
import os allowed = [item for item in os.listdir('.') if '.xslt' in item] if xslt not in allowed: # return some neutral/blank message (hiding all sentive data)
which just allows access to "my" 'xslt' files in 'cgi-bin' satisfy those needs in security? Or do you have something else in mind? (disabling debug info, moving 'xslt' files to another directory, or even more restrictive, ...?)
Thanks for your feedback and greetings DrTrigon
I would check that xslt is only composed by alphanumeric characters* and do something like "/home/drtrigon/xslt/" + xslt + ".xslt" (this ensures there's no ../ and doesn't contain \0)
Also, I'm not sure if urllib.open() works with file:// urls, but I'd verify it's a http or https url .