John Cartwright wrote:
...
Subscriber addresses and passwords have been compromised.
d'0h!
That's an improvement, but better is to extract and validate the tail of the path to your repository and then anchor the root where it belongs....
SLASH = '/'
def true_path(path): "Ensure that the path is safe by removing .." parts = [x for x in path.split(SLASH) if x not in ('.', '..')] return SLASH.join(parts)[1:]
Fully disclosing that FD was compromised was a stand up thing to do though. Good job!
- Steve
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
