You're correct -- if you're going to run a production server, you
should configure your web server to serve the static content. It'll
be faster and safer.
For development, or an internal site, it'll work fine.
On Jun 21, 10:37 pm, "Gary Bernhardt" <[EMAIL PROTECTED]>
wrote:
> On Sat, Jun 21, 2008 at 2:14 PM, Justin Davis <[EMAIL PROTECTED]> wrote:
>
> > url = (
> > '/skins/default/(.*)', 'SkinsDefault'
> > )
>
> > class SkinsDefault:
> > def GET(self, filename):
> > try:
> > f = open('skins/default/' + filename)
> > print f.read() # or return f.read() if you're using 0.3
>
> > except IOError: # No file named that
> > web.notfound()
>
> This is very dangerous. It allows an attacker to read any file that
> the user running the server can read. They could request
> "/skins/default/../../../my_sensitive_file".
>
> --
> Garyhttp://blog.extracheese.org
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web.py" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/webpy?hl=en
-~----------~----~----~----~------~----~------~--~---
