>> class SkinsDefault:
>> def GET(self, filename):
>> try:
>> f = open('skins/default/' + filename)
>> print f.read() # or return f.read() if you're using 0.3
>>
>> except IOError: # No file named that
>> web.notfound()
>
> This is very dangerous. It allows an attacker to read any file that
> the user running the server can read. They could request
> "/skins/default/../../../my_sensitive_file".
You add the following assert to make sure it is safe.
assert '..' not in filename
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web.py" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/webpy?hl=en
-~----------~----~----~----~------~----~------~--~---
