Dr. Trigon wrote:
Sorry for the inconveniences I caused here!
What is exactly the critical point you are mentioning? Do I understand
you right and would inserting the code
import os
allowed = [item for item in os.listdir('.') if '.xslt' in item]
if xslt not in allowed:
# return some neutral/blank message (hiding all sentive data)
which just allows access to "my" 'xslt' files in 'cgi-bin'
satisfy
those needs in security? Or do you have something else in mind?
(disabling debug info, moving 'xslt' files to another directory,
or even more restrictive, ...?)
Thanks for your feedback and greetings
DrTrigon
I would check that xslt is only composed by alphanumeric characters* and
do something like "/home/drtrigon/xslt/" + xslt + ".xslt"
(this ensures there's no ../ and doesn't contain \0)
Also, I'm not sure if urllib.open() works with file:// urls, but I'd
verify it's a http or https url .