-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am 11.09.2011 22:59, schrieb Platonides:
Dr. Trigon wrote:
import os allowed = [item for item in
os.listdir('.') if '.xslt'
in item] if xslt not in allowed: # return some neutral/blank
message (hiding all sentive data)
I would check that xslt is only composed by alphanumeric
characters* and do something like "/home/drtrigon/xslt/" + xslt +
".xslt" (this ensures there's no ../ and doesn't contain \0)
Sorry that answer confuses me; "check that xslt is only composed by
alphanumeric characters" is just a second (more paranoid) check to be
very sure? Since only xslt from my path are allowed, I would have to
put them into this directory and do check them then... The other thing
is the content of this xslt will be passed to 'etree.XML' like:
>> from lxml import etree doc = etree.parse(f)
xslt_root =
>> etree.XML( open(xslt).read() )
so why should there be a problem if the xslt would contain binary
data (which in fact they would not since I have to upload them... ;)
Also, I'm not sure if urllib.open() works with
file:// urls, but
I'd verify it's a http or https url .
Am 11.09.2011 23:29, schrieb Merlijn van Deen:
> On 11 September 2011 22:59, Platonides <platonides(a)gmail.com
> <mailto:platonides@gmail.com>> wrote:
>
Also, I'm not sure if urllib.open() works with
file:// urls, but
I'd verify it's a http or https url .
>
>
> It even works without. For urllib2, you do need to use file://
> urls.
>
> valhallasw@dorthonion:~$ python Python 2.6.5 (r265:79063, Apr 16
> 2010, 13:09:56) [GCC 4.4.3] on linux2 Type "help", "copyright",
> "credits" or "license" for more information.
>>>> import urllib, urllib2
>>>> urllib.urlopen('/etc/passwd').readlines()
> ['root:x:0:0:root:/root:/bin/bash\n', (...)
> ,'usbmux:x:109:46:usbmux daemon,,,:/home/usbmux:/bin/false\n']
>>>> urllib2.urlopen('file:///etc/passwd').readlines()
> ['root:x:0:0:root:/root:/bin/bash\n', (...)
What would be the best / most safe verification? Check for "http" in
the beginning of the string? Or is there a good way to prevent urllib
from allowing such accesses?
Of course, it all boils back to the old motto
'never trust user
input' - and be sure standard libraries are not more general than
you think...
I would never ever trust my own input at all... ;)) An can only cite
DNA here: "To summarize the summary of the summary: 'People are a
problem'"... ;)))
And to be quite honest, the fact of having (python) standard libraries
that are more general than I (could ever) think, is one of those things
that amaze me every time... :)
(and this is something that might have bitten more of
us, including
me :-))
(makes me somehow happy not to be the only one... ;)
Greetings
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAk5t7fAACgkQAXWvBxzBrDChgQCfV/37ccXI2OOJSKDXKQ9PE0Jp
q8wAoMnhLQPKEQOc/ayY3RpFLJl0A119
=Wc29
-----END PGP SIGNATURE-----