-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am 11.09.2011 22:59, schrieb Platonides:
> Dr. Trigon wrote:
>> import os allowed = [item for item in os.listdir('.') if '.xslt'
>> in item] if xslt not in allowed: # return some neutral/blank
>> message (hiding all sentive data)
>
> I would check that xslt is only composed by alphanumeric
> characters* and do something like "/home/drtrigon/xslt/" + xslt +
> ".xslt" (this ensures there's no ../ and doesn't contain \0)
Sorry that answer confuses me; "check that xslt is only composed by
alphanumeric characters" is just a second (more paranoid) check to be
very sure? Since only xslt from my path are allowed, I would have to
put them into this directory and do check them then... The other thing
is the content of this xslt will be passed to 'etree.XML' like:
>>> from lxml import etree doc = etree.parse(f) xslt_root =
>>> etree.XML( open(xslt).read() )
so why should there be a problem if the xslt would contain binary
data (which in fact they would not since I have to upload them... ;)
> Also, I'm not sure if urllib.open() works with file:// urls, but
> I'd verify it's a http or https url .
Am 11.09.2011 23:29, schrieb Merlijn van Deen:
> On 11 September 2011 22:59, Platonides <platoni...@gmail.com
> <mailto:platoni...@gmail.com>> wrote:
>
> Also, I'm not sure if urllib.open() works with file:// urls, but
> I'd verify it's a http or https url .
>
>
> It even works without. For urllib2, you do need to use file://
> urls.
>
> valhallasw@dorthonion:~$ python Python 2.6.5 (r265:79063, Apr 16
> 2010, 13:09:56) [GCC 4.4.3] on linux2 Type "help", "copyright",
> "credits" or "license" for more information.
>>>> import urllib, urllib2
>>>> urllib.urlopen('/etc/passwd').readlines()
> ['root:x:0:0:root:/root:/bin/bash\n', (...)
> ,'usbmux:x:109:46:usbmux daemon,,,:/home/usbmux:/bin/false\n']
>>>> urllib2.urlopen('file:///etc/passwd').readlines()
> ['root:x:0:0:root:/root:/bin/bash\n', (...)
What would be the best / most safe verification? Check for "http" in
the beginning of the string? Or is there a good way to prevent urllib
from allowing such accesses?
> Of course, it all boils back to the old motto 'never trust user
> input' - and be sure standard libraries are not more general than
> you think...
I would never ever trust my own input at all... ;)) An can only cite
DNA here: "To summarize the summary of the summary: 'People are a
problem'"... ;)))
And to be quite honest, the fact of having (python) standard libraries
that are more general than I (could ever) think, is one of those things
that amaze me every time... :)
> (and this is something that might have bitten more of us, including
> me :-))
(makes me somehow happy not to be the only one... ;)
Greetings
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5t7fAACgkQAXWvBxzBrDChgQCfV/37ccXI2OOJSKDXKQ9PE0Jp
q8wAoMnhLQPKEQOc/ayY3RpFLJl0A119
=Wc29
-----END PGP SIGNATURE-----
_______________________________________________
Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org)
https://lists.wikimedia.org/mailman/listinfo/toolserver-l
Posting guidelines for this list:
https://wiki.toolserver.org/view/Mailing_list_etiquette
