-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 12.09.2011 13:43, schrieb DaB.: > to prevent something like > > "../../dab/text.xml" as parameter with would result in > > "/home/drtrigon/xslt/"../../dab/text.xml" which would result to > > "/home/dab/text.xml"
Yes I assumed something similar, BUT python 'open' does not accept "/home/drtrigon/xslt/../../dab/text.xml" as path, it returns an "IOError: [Errno 2] No such file or directory: ..." My idea was just to create a list of all files I allow (in fact all '.xslt' in the same dir as the script is) and check the given parameter agains this. Consider this list ["atom2html.xslt", "rss2html.xslt"] now if I do a "xslt in ["atom2html.xslt", "rss2html.xslt"]" I would have caught all the possible cases with any combination of "../.." and binary "\0" and else... or am I missing something here...?!? ;) Thanks for all your patience! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5t9lkACgkQAXWvBxzBrDDPogCgtop/ff/vQhmsRXouX4AsWYK/ TVcAoLD56DBBu1QCbBJJKLvUKoh1+mpx =mOxH -----END PGP SIGNATURE----- _______________________________________________ Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
