Dr. Trigon wrote:
> Sorry for the inconveniences I caused here!
>
> What is exactly the critical point you are mentioning? Do I understand
> you right and would inserting the code
>
> import os
> allowed = [item for item in os.listdir('.') if '.xslt' in item]
> if xslt not in allowed:
> # return some neutral/blank message (hiding all sentive data)
>
> which just allows access to "my" 'xslt' files in 'cgi-bin' satisfy
> those needs in security? Or do you have something else in mind?
> (disabling debug info, moving 'xslt' files to another directory,
> or even more restrictive, ...?)
>
> Thanks for your feedback and greetings
> DrTrigon
I would check that xslt is only composed by alphanumeric characters* and
do something like "/home/drtrigon/xslt/" + xslt + ".xslt"
(this ensures there's no ../ and doesn't contain \0)
Also, I'm not sure if urllib.open() works with file:// urls, but I'd
verify it's a http or https url .
_______________________________________________
Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org)
https://lists.wikimedia.org/mailman/listinfo/toolserver-l
Posting guidelines for this list:
https://wiki.toolserver.org/view/Mailing_list_etiquette
