-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Am 11.09.2011 22:59, schrieb Platonides:
Dr. Trigon wrote:
import os allowed = [item for item in os.listdir('.') if '.xslt' in item] if xslt not in allowed: # return some neutral/blank message (hiding all sentive data)
I would check that xslt is only composed by alphanumeric characters* and do something like "/home/drtrigon/xslt/" + xslt + ".xslt" (this ensures there's no ../ and doesn't contain \0)
Sorry that answer confuses me; "check that xslt is only composed by alphanumeric characters" is just a second (more paranoid) check to be very sure? Since only xslt from my path are allowed, I would have to put them into this directory and do check them then... The other thing is the content of this xslt will be passed to 'etree.XML' like:
from lxml import etree doc = etree.parse(f) xslt_root = etree.XML( open(xslt).read() )
so why should there be a problem if the xslt would contain binary data (which in fact they would not since I have to upload them... ;)
Also, I'm not sure if urllib.open() works with file:// urls, but I'd verify it's a http or https url .
Am 11.09.2011 23:29, schrieb Merlijn van Deen:
On 11 September 2011 22:59, Platonides <platonides@gmail.com mailto:platonides@gmail.com> wrote:
Also, I'm not sure if urllib.open() works with file:// urls, but I'd verify it's a http or https url .
It even works without. For urllib2, you do need to use file:// urls.
valhallasw@dorthonion:~$ python Python 2.6.5 (r265:79063, Apr 16 2010, 13:09:56) [GCC 4.4.3] on linux2 Type "help", "copyright", "credits" or "license" for more information.
import urllib, urllib2 urllib.urlopen('/etc/passwd').readlines()
['root:x:0:0:root:/root:/bin/bash\n', (...) ,'usbmux:x:109:46:usbmux daemon,,,:/home/usbmux:/bin/false\n']
urllib2.urlopen('file:///etc/passwd').readlines()
['root:x:0:0:root:/root:/bin/bash\n', (...)
What would be the best / most safe verification? Check for "http" in the beginning of the string? Or is there a good way to prevent urllib from allowing such accesses?
Of course, it all boils back to the old motto 'never trust user input' - and be sure standard libraries are not more general than you think...
I would never ever trust my own input at all... ;)) An can only cite DNA here: "To summarize the summary of the summary: 'People are a problem'"... ;)))
And to be quite honest, the fact of having (python) standard libraries that are more general than I (could ever) think, is one of those things that amaze me every time... :)
(and this is something that might have bitten more of us, including me :-))
(makes me somehow happy not to be the only one... ;)
Greetings