On Fri, Mar 8, 2013 at 12:19 PM, <i...@cravendot.gr> wrote: > I dare anyone who wants to to mess with 'htmlpage' variable value's now! > > I made it unhackable i believe! > > I'am testing it myself 3 hours now and find it safe! > > Please feel free to try also!
Okay, done. I was still able to read your source files, and I was still able to write a file to your webserver. All I had to do was change 'htmlpage' to 'page' in the example URLs I sent you before. Validating the 'htmlpage' field does nothing if you also switch the dispatch to the 'page' field. And as far as the validation goes, from what I can see in the source, it looks like you're just checking whether the string '.html' appears in it somewhere. It's not hard at all to craft a malicious page request that meets that. As a start, try checking that the file actually exists before doing anything with it, and that it is in one of the directories used by your web server. -- http://mail.python.org/mailman/listinfo/python-list
