Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-14 Thread Dr. Trigon
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 14.09.2011 00:08, schrieb Platonides: > Heh, you could have added - and _ to the list of allowed characters > (that's why I pointed out *what* I wanted to protect from). Because you mentioned alphanumeric I thought of using "str.isalnum()" but the

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-13 Thread Platonides
Dr. Trigon wrote: >> I would check that xslt is only composed by alphanumeric >> characters* and do something like "/home/drtrigon/xslt/" + xslt + >> ".xslt" (this ensures there's no ../ and doesn't contain \0) > > I considered this solution, since it sounded to be very easy. BUT the > check for al

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-12 Thread Dr. Trigon
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > btw.: ...is the pywikipedia framework's 'getUrl' safe in this > sence? Just for information: no it is not! The following works: >>> print site.getUrl("file:///etc/passwd", no_hostname = True) (this could be an issue for other homebrew bots blindly

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-12 Thread Dr. Trigon
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 12.09.2011 16:43, schrieb Merlijn van Deen: > On 12 September 2011 16:00, Dr. Trigon > wrote: > > So this "IOError: [Errno 2] No such file or directory: ..." was > NOT triggered because of an not existing file, BUT beca

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-12 Thread Merlijn van Deen
On 12 September 2011 16:00, Dr. Trigon wrote: > So this "IOError: [Errno 2] No such file or directory: ..." was NOT > triggered because of an not existing file, BUT because of the syntax > not accepted. I do not want to state that there is no possibility to > cheat this way, but the obvious one s

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-12 Thread Dr. Trigon
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 12.09.2011 14:21, schrieb DaB.: > Hello, At Monday 12 September 2011 14:21:05 DaB. wrote: >> "/home/drtrigon/xslt/../../dab/text.xml" as path, it returns an >> "IOError: [Errno 2] No such file or directory: ..." > > which is true. There is no text

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-12 Thread DaB.
Hello, At Monday 12 September 2011 14:21:05 DaB. wrote: > "/home/drtrigon/xslt/../../dab/text.xml" as path, it returns an > "IOError: [Errno 2] No such file or directory: ..." which is true. There is no text.xml-file in my home. It was just an example. Sincerly, DaB. -- Userpage: [[:w:de:User:D

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-12 Thread Dr. Trigon
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 12.09.2011 13:43, schrieb DaB.: > to prevent something like > > "../../dab/text.xml" as parameter with would result in > > "/home/drtrigon/xslt/"../../dab/text.xml" which would result to > > "/home/dab/text.xml" Yes I assumed something similar,

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-12 Thread DaB.
Hello, At Monday 12 September 2011 13:41:09 DaB. wrote: > Sorry that answer confuses me; "check that xslt is only composed by > alphanumeric characters" is just a second (more paranoid) check to be > very sure? to prevent something like "../../dab/text.xml" as parameter with would result in "/h

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-12 Thread Peter Körner
Am 12.09.2011 13:33, schrieb Dr. Trigon: from lxml import etree doc = etree.parse(f) xslt_root = etree.XML( open(xslt).read() ) > > so why should there be a problem if the xslt would contain binary > data (which in fact they would not since I have to upload them... ;) I think he reffered

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-12 Thread Dr. Trigon
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 11.09.2011 22:59, schrieb Platonides: > Dr. Trigon wrote: >> import os allowed = [item for item in os.listdir('.') if '.xslt' >> in item] if xslt not in allowed: # return some neutral/blank >> message (hiding all sentive data) > > I would check tha

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-11 Thread Dr. Trigon
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > It even works without. For urllib2, you do need to use file:// > urls. > > valhallasw@dorthonion:~$ python Python 2.6.5 (r265:79063, Apr 16 > 2010, 13:09:56) [GCC 4.4.3] on linux2 Type "help", "copyright", > "credits" or "license" for more informati

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-11 Thread Merlijn van Deen
On 11 September 2011 22:59, Platonides wrote: > Also, I'm not sure if urllib.open() works with file:// urls, but I'd > verify it's a http or https url . > > It even works without. For urllib2, you do need to use file:// urls. valhallasw@dorthonion:~$ python Python 2.6.5 (r265:79063, Apr 16 2010,

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-11 Thread Platonides
Dr. Trigon wrote: > Sorry for the inconveniences I caused here! > > What is exactly the critical point you are mentioning? Do I understand > you right and would inserting the code > > import os > allowed = [item for item in os.listdir('.') if '.xslt' in item] > if xslt not in allowed: > # retu

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-11 Thread Dr. Trigon
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 11.09.2011 20:50, schrieb DaB.: > Hello, At Sunday 11 September 2011 20:49:25 DaB. wrote: >> all files on the toolserver can be checked for existence, if they >> are XML files > > disabled for this reason. > > @drtrigon: Please fix your script BEF

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-11 Thread DaB.
Hello, At Sunday 11 September 2011 20:49:25 DaB. wrote: > all files on the toolserver can be checked for > existence, if they are XML files disabled for this reason. @drtrigon: Please fix your script BEFORE you put it back in action. Sincerly, DaB. -- Userpage: [[:w:de:User:DaB.]] — PGP: 2B25

Re: [Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-10 Thread Tim Landscheidt
(anonymous) wrote: > To close the topic [1] I finally decided to follow the hints given by > Maciej Jaros and Merlissimo and created (since it seams nobody did this > already - please correct me, if I am wrong) > "XSaLT: XSL/XSLT Simple and Lightweight Tool" [2] > Which is a very, very, very sim

[Toolserver-l] Announcement - XSaLT: XSL/XSLT Simple and Lightweight Tool

2011-09-10 Thread Dr. Trigon
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello TS users! To close the topic [1] I finally decided to follow the hints given by Maciej Jaros and Merlissimo and created (since it seams nobody did this already - please correct me, if I am wrong) "XSaLT: XSL/XSLT Simple and Lightweight Tool" [2