Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder4.news.weretis.net!cs.uu.nl!news.stack.nl!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.010 X-Spam-Evidence: '*H*': 0.98; '*S*': 0.00; 'else:': 0.03; 'elif': 0.04; 'scripts': 0.09; 'advice.': 0.09; 'logic': 0.09; 'to:addr:comp.lang.python': 0.09; 'cc:addr:python-list': 0.10; 'subject:error': 0.11; 'subject:python': 0.11; 'advice,': 0.16; 'did:': 0.16; 'hacked': 0.16; 'script?': 0.16; 'subject:when': 0.16; 'validation.': 0.16; 'wrote:': 0.17; 'detect': 0.17; 'hack': 0.18; 'followed': 0.20; 'cc:2**0': 0.23; 'somebody': 0.23; 'seems': 0.23; 'script': 0.24; 'cc:addr:python.org': 0.25; 'header :In-Reply-To:1': 0.25; 'header:User-Agent:1': 0.26; 'values': 0.26; 'wonder': 0.27; 'cgi': 0.29; 'source': 0.29; 'fri,': 0.30; "skip:' 20": 0.32; 'received:google.com': 0.34; 'pm,': 0.35; 'received:209.85': 0.35; 'thank': 0.36; 'possible': 0.37; 'received:209': 0.37; 'subject:: ': 0.38; 'some': 0.38; 'page': 0.38; 'called': 0.39; 'your': 0.60; 'easy': 0.60; 'from:no real name:2**0': 0.60; 'free': 0.61; 'more': 0.63; 'here': 0.65; 'validate': 0.65; 'secure': 0.67; '8bit%:100': 0.70; '8bit%:92': 0.70; '2013': 0.84; 'again!': 0.84; 'hard.': 0.84; 'imagination': 0.84; 'glad': 0.86 X-Received: by 10.49.63.164 with SMTP id h4mr333682qes.39.1362798908575; Fri, 08 Mar 2013 19:15:08 -0800 (PST) Newsgroups: comp.lang.python Date: Fri, 8 Mar 2013 19:15:08 -0800 (PST) In-Reply-To: Complaints-To: groups-abuse@google.com Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=94.68.106.213; posting-account=hGu1uQoAAACZy7LiR653nG0NwqDrTyoS References: <8e17232e-5b24-4040-9215-c4bd89f34fa2@googlegroups.com> <622d4a2d-0014-4254-b211-c8fd66510f74@googlegroups.com> <33f153b4-4f54-429a-a92d-387b679bf758@googlegroups.com> <20130307105137.a6cae268f7f074fbf5017b1d@lavabit.com> <0074be2d-1f52-4626-bf53-fd9591f16bf7@googlegroups.com> <98cd9065-94b0-4fb6-b2fd-6ed96880242d@googlegroups.com> <513a33d7$0$30001$c3e8da3$5496439d@news.astraweb.com> <1a79c210-3c50-43bb-8a78-5d5ef60922ec@googlegroups.com> <85b5c606-a1c7-480b-a900-622f61751b87@googlegroups.com> User-Agent: G2/1.0 X-Google-Web-Client: true X-Google-IP: 94.68.106.213 MIME-Version: 1.0 Subject: Re: An error when i switched from python v2.6.6 => v3.2.3 From: nagia.retsina@gmail.com To: comp.lang.python@googlegroups.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Python X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Message-ID: Lines: 47 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1362798916 news.xs4all.nl 6906 [2001:888:2000:d::a6]:57373 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:40918 =CE=A4=CE=B7 =CE=A3=CE=AC=CE=B2=CE=B2=CE=B1=CF=84=CE=BF, 9 =CE=9C=CE=B1=CF= =81=CF=84=CE=AF=CE=BF=CF=85 2013 2:26:56 =CF=80.=CE=BC. UTC+2, =CE=BF =CF= =87=CF=81=CE=AE=CF=83=CF=84=CE=B7=CF=82 Ian =CE=AD=CE=B3=CF=81=CE=B1=CF=88= =CE=B5: > On Fri, Mar 8, 2013 at 1:31 PM, =CE=9D=CE=AF=CE=BA=CE=BF=CF=82 =CE=93=CE= =BA=CF=8133=CE=BA wrote: >=20 > > Thank you very much for pointing my flaws once again! >=20 > > >=20 > > I cant beleive how easy you hacked the webserver again and be able to r= ead my cgi scripts source and write to cgi-bin too! >=20 > > >=20 > > I have added extra security by following some of your advice, i wonder = if youc an hack it again! >=20 > > >=20 > > Fell free to try if i'am not tiring you please! >=20 >=20 >=20 > That seems to be better, although I want to stress that I did not try >=20 > very hard. It's possible that somebody with more patience and >=20 > imagination than myself might still find a way to fool your >=20 > validation. I'am glad the script has been made more secure after of course you enilghte= n me and i followed your advice. Here is what i did: # detect how 'index.html' is called and validate values of 'htmlpage' & 'pa= ge' if page and os.path.isfile( '/home/nikos/www/cgi-bin/' + page ): page =3D page elif form.getvalue('show') and os.path.isfile( htmlpage ): page =3D htmlpage.replace( '/home/nikos/public_html/', '' ) else: page =3D 'index.html' Now that you have the if structure's logic can you *still* fool the script?