Glenn Linderman v+pyt...@g.nevcal.com added the comment:
A bit of experimentation indicates that for regular file access, there probably
is no security problem, but bad paths will look in weird places, and if they
find a file of the right name, will return it. It would be much better to
Glenn Linderman v+pyt...@g.nevcal.com added the comment:
I finally understand the purpose of the checks in translate path...
Basically, translate path is concatenating the URL path to the current
directory (because that is considered the root for Web service by this
server). But along the way,
Éric Araujo mer...@netwok.org added the comment:
/path/parts/cgi-script/path/info/parts#anchor?query-string
This should be: /path/parts/cgi-script/path/info/parts?query-string#anchor
--
nosy: +eric.araujo
___
Python tracker rep...@bugs.python.org
New submission from Glenn Linderman v+pyt...@g.nevcal.com:
A URL potentially consists of four parts: path, PATH_INFO, anchor,
QUERY_STRING. The syntax is roughly:
/path/parts/cgi-script/path/info/parts#anchor?query-string
where # and ? characters play key roles.
is_cgi not-so-cleverly