Path: csiph.com!usenet.pasdenom.info!gegeweb.org!de-l.enfer-du-nord.net!feeder2.enfer-du-nord.net!cs.uu.nl!news.stack.nl!newsfeed.xs4all.nl!newsfeed2.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.003 X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; "'python": 0.07; 'ugly': 0.07; 'work!': 0.07; "%s'": 0.09; '-rf': 0.09; 'to:addr:comp.lang.python': 0.09; 'cc:addr:python-list': 0.10; 'subject:error': 0.11; 'subject:python': 0.11; 'charset:iso-8859-7': 0.15; "'';": 0.16; 'f.read()': 0.16; 'subject:when': 0.16; 'temp': 0.16; 'wrote:': 0.17; 'thu,': 0.17; 'causing': 0.20; 'http': 0.22; 'cc:2**0': 0.23; 'this:': 0.23; 'cc:addr:python.org': 0.25; 'header:In-Reply-To:1': 0.25; 'header :User-Agent:1': 0.26; 'fixed': 0.28; "skip:' 10": 0.30; 'code': 0.31; 'problem.': 0.32; 'could': 0.32; 'received:google.com': 0.34; 'so,': 0.35; 'pm,': 0.35; 'received:209.85': 0.35; 'something': 0.35; 'but': 0.36; 'being': 0.37; 'received:209': 0.37; 'subject:: ': 0.38; 'some': 0.38; 'think': 0.40; 'more': 0.63; 'dont': 0.64; '2013': 0.84; 'text/html;': 0.84; '\xcc\xe1\xf1\xf4\xdf\xef\xf5': 0.84; 'joel': 0.91 X-Received: by 10.49.132.70 with SMTP id os6mr21485qeb.4.1362704251035; Thu, 07 Mar 2013 16:57:31 -0800 (PST) Newsgroups: comp.lang.python Date: Thu, 7 Mar 2013 16:57:30 -0800 (PST) In-Reply-To: Complaints-To: groups-abuse@google.com Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=94.68.107.188; posting-account=DYJQ-woAAACEPH85Au2BhUVfFTfSfVa4 References: <8e17232e-5b24-4040-9215-c4bd89f34fa2@googlegroups.com> <622d4a2d-0014-4254-b211-c8fd66510f74@googlegroups.com> <33f153b4-4f54-429a-a92d-387b679bf758@googlegroups.com> <20130307105137.a6cae268f7f074fbf5017b1d@lavabit.com> <0074be2d-1f52-4626-bf53-fd9591f16bf7@googlegroups.com> User-Agent: G2/1.0 X-Google-Web-Client: true X-Google-IP: 94.68.107.188 MIME-Version: 1.0 Subject: Re: An error when i switched from python v2.6.6 => v3.2.3 From: =?ISO-8859-7?B?zd/q7/Igw+rxMzPq?= To: comp.lang.python@googlegroups.com Content-Type: text/plain; charset=ISO-8859-7 Content-Transfer-Encoding: quoted-printable Cc: Python X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Message-ID: Lines: 43 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1362704260 news.xs4all.nl 6845 [2001:888:2000:d::a6]:40077 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:40840 =D4=E7 =D0=DD=EC=F0=F4=E7, 7 =CC=E1=F1=F4=DF=EF=F5 2013 10:15:11 =EC.=EC. U= TC+2, =EF =F7=F1=DE=F3=F4=E7=F2 Ian =DD=E3=F1=E1=F8=E5: > On Thu, Mar 7, 2013 at 1:04 PM, =CD=DF=EA=EF=F2 =C3=EA=F133=EA wrote: >=20 > > =D4=E7 =D0=DD=EC=F0=F4=E7, 7 =CC=E1=F1=F4=DF=EF=F5 2013 9:36:33 =EC.=EC= . UTC+2, =EF =F7=F1=DE=F3=F4=E7=F2 Joel Goldstick =DD=E3=F1=E1=F8=E5: >=20 > > >=20 > >> So, I see you fixed the problem. How? >=20 > > >=20 > > Apart from appearing ugly its not causing any more trouble(other than s= ome issues that i have fixed), so i will just d: >=20 > > >=20 > > os.system( 'python %s > %s' % (htmlpage, temp) ) >=20 > > f =3D open( temp ) >=20 > > htmldata =3D f.read() >=20 > > htmldata =3D htmldata.replace( 'Content-type: text/html; charse= t=3Dutf-8', '' ) >=20 >=20 >=20 > If htmlpage is being pulled from the HTTP request as I think it is, >=20 > then you have a code injection vulnerability here. Think what could >=20 > happen if htmlpage were something like this: >=20 >=20 >=20 > -c ''; rm -rf /; oops.py Yes its being pulled by http request! But please try to do it, i dont think it will work!