On Fri, Mar 8, 2013 at 1:01 PM, Ian Kelly <ian.g.ke...@gmail.com> wrote: > On Fri, Mar 8, 2013 at 12:19 PM, <i...@cravendot.gr> wrote: >> I dare anyone who wants to to mess with 'htmlpage' variable value's now! >> >> I made it unhackable i believe! >> >> I'am testing it myself 3 hours now and find it safe! >> >> Please feel free to try also! > > Okay, done. I was still able to read your source files, and I was > still able to write a file to your webserver. All I had to do was > change 'htmlpage' to 'page' in the example URLs I sent you before. > Validating the 'htmlpage' field does nothing if you also switch the > dispatch to the 'page' field. > > And as far as the validation goes, from what I can see in the source, > it looks like you're just checking whether the string '.html' appears > in it somewhere. It's not hard at all to craft a malicious page > request that meets that. > > As a start, try checking that the file actually exists before doing > anything with it, and that it is in one of the directories used by > your web server.
os.path.isfile will help with the former, while os.path.realname and os.path.dirname will help with the latter. -- http://mail.python.org/mailman/listinfo/python-list
