Path: csiph.com!usenet.pasdenom.info!gegeweb.org!de-l.enfer-du-nord.net!feeder1.enfer-du-nord.net!newsfeed.eweka.nl!feeder3.eweka.nl!81.171.88.15.MISMATCH!eweka.nl!lightspeed.eweka.nl!194.134.4.91.MISMATCH!news2.euro.net!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <ian.g.kelly@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.017
X-Spam-Evidence: '*H*': 0.97; '*S*': 0.00; 'before.': 0.09; 'craft': 0.09; 'mess': 0.09; 'subject:error': 0.11; 'subject:python': 0.11; 'source,': 0.15; 'former,': 0.16; 'safe!': 0.16; 'somewhere.': 0.16; 'subject:when': 0.16; 'string': 0.17; 'wrote:': 0.17; 'exists': 0.17; 'appears': 0.18; 'variable': 0.20; 'example': 0.23; 'testing': 0.24; 'header:In-Reply-To:1': 0.25; 'looks': 0.26; 'checking': 0.27; 'done.': 0.27; 'start,': 0.27; 'message- id:@mail.gmail.com': 0.27; 'source': 0.29; 'that.': 0.30; 'fri,': 0.30; 'server.': 0.32; 'file': 0.32; 'switch': 0.32; 'anyone': 0.33; 'to:addr:python-list': 0.33; 'received:google.com': 0.34; 'doing': 0.35; 'pm,': 0.35; 'received:209.85': 0.35; 'anything': 0.36; 'does': 0.37; 'received:209': 0.37; 'far': 0.37; 'subject:: ': 0.38; 'nothing': 0.38; 'page': 0.38; 'to:addr:python.org': 0.39; 'help': 0.40; 'your': 0.60; 'free': 0.61; 'hours': 0.66; '2013': 0.84; 'malicious': 0.84; 'to:name:python': 0.84; 'dare': 0.93
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=NAl+0xUTiU1plfrdCRDO2mOdFdnqPQgQ0bGNqO0wFYI=; b=aZKeVrYhyPv1D3nb82ES7on3KcJLS6oW3xmvyUlPfSSxKSx7+9tyQk/x+CFb5HdWbl w9/lOJhIDqrlhf1KIkKyszKM+wOgm3lIUroLxIv/PviO32sWcWtbBdAODYYM+C+1liVs zJzjklSKfOmf1L3BdRLXAKnnggcMou3sjebBepnS1QLz1zzcnB05XDnhrx3VPkLAulkF IqS+ftf8cQNLlry/WTJZDQcUszqg4EKswcjzBTd6Vtp4ef7HQgE1uc1dOpnsO+hJQjYt SBfiPbGTYCp9tASlUJpE4kEZ120VtDP2usN/MQmUciS7MwqWHqD3YpyfRIq1tz5KaqYK kN6w==
X-Received: by 10.220.239.71 with SMTP id kv7mr1446507vcb.46.1362773139284; Fri, 08 Mar 2013 12:05:39 -0800 (PST)
MIME-Version: 1.0
In-Reply-To: <CALwzidk3e4Yvw56NVP_boLkas6zs-6FjwU+RLxnJcpextR18KA@mail.gmail.com>
References: <8e17232e-5b24-4040-9215-c4bd89f34fa2@googlegroups.com> <622d4a2d-0014-4254-b211-c8fd66510f74@googlegroups.com> <c2a09443-3c74-477b-af9f-a6f3473ebe88@googlegroups.com> <mailman.3029.1362669207.2939.python-list@python.org> <e63776b9-ba74-4349-9538-7fe95323d4be@googlegroups.com> <mailman.3033.1362670392.2939.python-list@python.org> <33f153b4-4f54-429a-a92d-387b679bf758@googlegroups.com> <20130307105137.a6cae268f7f074fbf5017b1d@lavabit.com> <CAPM-O+w_=e6FA8CA8W_UgxGXebXqNOqFWAf0BXa7FwRe6XYWgQ@mail.gmail.com> <mailman.3048.1362684995.2939.python-list@python.org> <0074be2d-1f52-4626-bf53-fd9591f16bf7@googlegroups.com> <mailman.3050.1362687355.2939.python-list@python.org> <98cd9065-94b0-4fb6-b2fd-6ed96880242d@googlegroups.com> <mailman.3066.1362714922.2939.python-list@python.org> <513a33d7$0$30001$c3e8da3$5496439d@news.astraweb.com> <1a79c210-3c50-43bb-8a78-5d5ef60922ec@googlegroups.com> <CALwzidk3e4Yvw56NVP_boLkas6zs-6FjwU+RLxnJcpextR18KA@mail.gmail.com>
From: Ian Kelly <ian.g.kelly@gmail.com>
Date: Fri, 8 Mar 2013 13:04:58 -0700
Subject: Re: An error when i switched from python v2.6.6 => v3.2.3
To: Python <python-list@python.org>
Content-Type: text/plain; charset=ISO-8859-1
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.3096.1362773147.2939.python-list@python.org>
Lines: 27
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1362773147 news.xs4all.nl 6866 [2001:888:2000:d::a6]:51467
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:40895

On Fri, Mar 8, 2013 at 1:01 PM, Ian Kelly <ian.g.kelly@gmail.com> wrote:
> On Fri, Mar 8, 2013 at 12:19 PM,  <info@cravendot.gr> wrote:
>> I dare anyone who wants to to mess with 'htmlpage' variable value's now!
>>
>> I made it unhackable i believe!
>>
>> I'am testing it myself 3 hours now and find it safe!
>>
>> Please feel free to try also!
>
> Okay, done.  I was still able to read your source files, and I was
> still able to write a file to your webserver.  All I had to do was
> change 'htmlpage' to 'page' in the example URLs I sent you before.
> Validating the 'htmlpage' field does nothing if you also switch the
> dispatch to the 'page' field.
>
> And as far as the validation goes, from what I can see in the source,
> it looks like you're just checking whether the string '.html' appears
> in it somewhere.  It's not hard at all to craft a malicious page
> request that meets that.
>
> As a start, try checking that the file actually exists before doing
> anything with it, and that it is in one of the directories used by
> your web server.

os.path.isfile will help with the former, while os.path.realname and
os.path.dirname will help with the latter.