Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 14.09.2011 00:08, schrieb Platonides: Heh, you could have added - and _ to the list of allowed characters (that's why I pointed out *what* I wanted to protect from). Because you mentioned alphanumeric I thought of using str.isalnum() but there no additional chars can be added (as far as I know). Thus I would have to consider regex - but then I was so lazy to use my first idea... ;) But of course you are right! :) Spelling out the list of allowed values is always safer, but it is bothersome (I see you listed the folder instead). is always safer is good news to me and because it is bothersome I chosed a way somewhere in between... :) (or may be because - as mentioned - it was my first idea... ;)) Greetings and thanks for the feedback - was very helpful! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5wzfYACgkQAXWvBxzBrDCtNQCgtc0Rkcu9xvwFjnWNIn9Jj0rZ yFcAn3IeUe3ICqT4/wdbRAj64gWT1jS3 =Iff5 -END PGP SIGNATURE- ___ Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool
Dr. Trigon wrote: I would check that xslt is only composed by alphanumeric characters* and do something like /home/drtrigon/xslt/ + xslt + .xslt (this ensures there's no ../ and doesn't contain \0) I considered this solution, since it sounded to be very easy. BUT the check for alphanum does exclude all files with '-' or '_'. Thus I decided to use my proposal. Heh, you could have added - and _ to the list of allowed characters (that's why I pointed out *what* I wanted to protect from). As far as I can see this does protect from '../' and '\0' in the path of the xslt file also - but please correct me if I am wrong here (and you have a scenario where this breaks down). Spelling out the list of allowed values is always safer, but it is bothersome (I see you listed the folder instead). ___ Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 12.09.2011 14:21, schrieb DaB.: Hello, At Monday 12 September 2011 14:21:05 DaB. wrote: /home/drtrigon/xslt/../../dab/text.xml as path, it returns an IOError: [Errno 2] No such file or directory: ... which is true. There is no text.xml-file in my home. It was just an example. Sorry may be I had to point out, that this was just your example. I tried it of course with an existing and accessible file in my home. (in fact I tried it on my local computer, but giving you this path example would not help, since you don't know my local file system tree... ;)) So this IOError: [Errno 2] No such file or directory: ... was NOT triggered because of an not existing file, BUT because of the syntax not accepted. I do not want to state that there is no possibility to cheat this way, but the obvious one suggested, does not work in python (I used Python 2.7.1 (r271:86832, Apr 12 2011, 16:15:16) [GCC 4.6.0 20110331 (Red Hat 4.6.0-2)] on linux2)... -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5uEJIACgkQAXWvBxzBrDAo8QCeJgNHrlD04NVa1KO3kPo8ARRK doAAni1mtJx/SYZbyLWo+z3vTzxP9+3u =Q5xm -END PGP SIGNATURE- ___ Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool
On 12 September 2011 16:00, Dr. Trigon dr.tri...@surfeu.ch wrote: So this IOError: [Errno 2] No such file or directory: ... was NOT triggered because of an not existing file, BUT because of the syntax not accepted. I do not want to state that there is no possibility to cheat this way, but the obvious one suggested, does not work in python Interesting theory, but not true: valhallasw@nightshade:~$ cat test.file blah valhallasw@nightshade:~$ python Python 2.7.1 (r271:86832, Jan 4 2011, 13:57:14) [GCC 4.5.2] on sunos5 Type help, copyright, credits or license for more information. open(/home/valhallasw/src/../test.file).readlines() ['blah\n'] Please always double-check these things in security-related issues. Best, Merlijn ___ Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool
Hello, At Sunday 11 September 2011 20:49:25 DaB. wrote: all files on the toolserver can be checked for existence, if they are XML files disabled for this reason. @drtrigon: Please fix your script BEFORE you put it back in action. Sincerly, DaB. -- Userpage: [[:w:de:User:DaB.]] — PGP: 2B255885 signature.asc Description: This is a digitally signed message part. ___ Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
[Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello TS users! To close the topic [1] I finally decided to follow the hints given by Maciej Jaros and Merlissimo and created (since it seams nobody did this already - please correct me, if I am wrong) XSaLT: XSL/XSLT Simple and Lightweight Tool [2] Which is a very, very, very simple python cgi script that takes an url (pointing to any XML source document) and an XSLT stylesheet. Both are passed to lxml to transform the XML to a destination document. Any XSLT stylesheet you might need can be added if you send me a mail. A first example is rss2html.xslt which converts RSS feeds to HTML content, as can be seen in the example [3] (it is specialized to this feed and may give worse results on others). [1] http://lists.wikimedia.org/pipermail/toolserver-l/2011-September/004375.html [2] https://wiki.toolserver.org/view/~drtrigon/cgi-bin/xsalt.py [3] http://toolserver.org/~drtrigon/cgi-bin/xsalt.py?url=http%3A%2F%2Fblog.wikimedia.de%2Ffeed%2Fxslt=rss2html.xslt Thanks for all your help and hints! Greetings DrTrigon -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5raxIACgkQAXWvBxzBrDBnCwCeKdh+h+4bFEldRDoALowl8GV8 urgAn00wVFI3fy9B+gGqBijznGB1RsBF =KUBT -END PGP SIGNATURE- ___ Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette