On Sat, Jun 21, 2008 at 2:14 PM, Justin Davis <[EMAIL PROTECTED]> wrote:
>
> url = (
> '/skins/default/(.*)', 'SkinsDefault'
> )
>
> class SkinsDefault:
> def GET(self, filename):
> try:
> f = open('skins/default/' + filename)
> print f.read() # or return f.read() if you're using 0.3
>
> except IOError: # No file named that
> web.notfound()
This is very dangerous. It allows an attacker to read any file that
the user running the server can read. They could request
"/skins/default/../../../my_sensitive_file".
--
Gary
http://blog.extracheese.org
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web.py" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/webpy?hl=en
-~----------~----~----~----~------~----~------~--~---
