-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
btw.: ...is the pywikipedia framework's 'getUrl' safe in this sence?
Just for information: no it is not! The following works:
print site.getUrl("file:///etc/passwd", no_hostname = True)
(this could be an issue for other homebrew bots blindly count on the framework... may be... ;)
I would check that xslt is only composed by alphanumeric characters* and do something like "/home/drtrigon/xslt/" + xslt + ".xslt" (this ensures there's no ../ and doesn't contain \0)
I considered this solution, since it sounded to be very easy. BUT the check for alphanum does exclude all files with '-' or '_'. Thus I decided to use my proposal. As far as I can see this does protect from '../' and '\0' in the path of the xslt file also - but please correct me if I am wrong here (and you have a scenario where this breaks down).
Also, I'm not sure if urllib.open() works with file:// urls, but I'd verify it's a http or https url .
Or prepending http:// if the input doesn't start with http://
Looking at the first 4 bytes of the string does not involve any python or implementation specific party.
Obvious solutions are better then magical ones.
So I implemented a list and check the first chars from url string against this list in order to be sure nothing bad goes on here.
The full code (for python-gurus) is given here:
######################################## # security # check url not to point to a local file on the server, e.g. 'file://' s1 = False for item in ['http://', 'https://']: s1 = s1 or (url[:len(item)] == item) # check xslt does point to allowed local files on the server (the # '.xslt' in same directory as script) and not any other, e.g. '../' import os allowed = [item for item in os.listdir('.') if '.xslt' in item] s2 = (xslt in allowed) secure = s1 and s2 ########################################
if secure=False the default starting page will be displayed, as if nothing happened (which is actually the case).
Can somebody (may be DaB) confirm if this is ok? Or still to weak?
Thanks a lot for all your help, hints and participation!! Greetings to all! DrTrigon