-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 11.09.2011 22:59, schrieb Platonides: > Dr. Trigon wrote: >> import os allowed = [item for item in os.listdir('.') if '.xslt' >> in item] if xslt not in allowed: # return some neutral/blank >> message (hiding all sentive data) > > I would check that xslt is only composed by alphanumeric > characters* and do something like "/home/drtrigon/xslt/" + xslt + > ".xslt" (this ensures there's no ../ and doesn't contain \0)
Sorry that answer confuses me; "check that xslt is only composed by alphanumeric characters" is just a second (more paranoid) check to be very sure? Since only xslt from my path are allowed, I would have to put them into this directory and do check them then... The other thing is the content of this xslt will be passed to 'etree.XML' like: >>> from lxml import etree doc = etree.parse(f) xslt_root = >>> etree.XML( open(xslt).read() ) so why should there be a problem if the xslt would contain binary data (which in fact they would not since I have to upload them... ;) > Also, I'm not sure if urllib.open() works with file:// urls, but > I'd verify it's a http or https url . Am 11.09.2011 23:29, schrieb Merlijn van Deen: > On 11 September 2011 22:59, Platonides <platoni...@gmail.com > <mailto:platoni...@gmail.com>> wrote: > > Also, I'm not sure if urllib.open() works with file:// urls, but > I'd verify it's a http or https url . > > > It even works without. For urllib2, you do need to use file:// > urls. > > valhallasw@dorthonion:~$ python Python 2.6.5 (r265:79063, Apr 16 > 2010, 13:09:56) [GCC 4.4.3] on linux2 Type "help", "copyright", > "credits" or "license" for more information. >>>> import urllib, urllib2 >>>> urllib.urlopen('/etc/passwd').readlines() > ['root:x:0:0:root:/root:/bin/bash\n', (...) > ,'usbmux:x:109:46:usbmux daemon,,,:/home/usbmux:/bin/false\n'] >>>> urllib2.urlopen('file:///etc/passwd').readlines() > ['root:x:0:0:root:/root:/bin/bash\n', (...) What would be the best / most safe verification? Check for "http" in the beginning of the string? Or is there a good way to prevent urllib from allowing such accesses? > Of course, it all boils back to the old motto 'never trust user > input' - and be sure standard libraries are not more general than > you think... I would never ever trust my own input at all... ;)) An can only cite DNA here: "To summarize the summary of the summary: 'People are a problem'"... ;))) And to be quite honest, the fact of having (python) standard libraries that are more general than I (could ever) think, is one of those things that amaze me every time... :) > (and this is something that might have bitten more of us, including > me :-)) (makes me somehow happy not to be the only one... ;) Greetings -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5t7fAACgkQAXWvBxzBrDChgQCfV/37ccXI2OOJSKDXKQ9PE0Jp q8wAoMnhLQPKEQOc/ayY3RpFLJl0A119 =Wc29 -----END PGP SIGNATURE----- _______________________________________________ Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette