Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #40717 > unrolled thread

An error when i switched from python v2.6.6 => v3.2.3

Back to article view | Back to comp.lang.python

Contents

  An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 00:18 -0800
    Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 01:06 -0800
      Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 03:27 -0800
        Re: An error when i switched from python v2.6.6 => v3.2.3 "Michael Ross" <gmx@ross.cx> - 2013-03-07 12:51 +0100
          Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 04:25 -0800
            Re: An error when i switched from python v2.6.6 => v3.2.3 "Michael Ross" <gmx@ross.cx> - 2013-03-07 14:06 +0100
              Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 05:22 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 00:43 +1100
                  Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 05:56 -0800
                    Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 01:01 +1100
                      Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:11 -0800
                        Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:13 -0800
                          Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 01:17 +1100
                            Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:34 -0800
                              Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 01:37 +1100
                                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:44 -0800
                                  Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 01:48 +1100
                                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:44 -0800
                            Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:34 -0800
                        Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:13 -0800
                        Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 01:16 +1100
                      Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:11 -0800
                  Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 05:56 -0800
              Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 05:22 -0800
          Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 04:25 -0800
    Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:50 -0800
      Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 06:52 -0800
      Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 07:01 -0800
        Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 02:13 +1100
          Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 07:26 -0800
            Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 02:33 +1100
              Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 07:57 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 rh <richard_hubbe11@lavabit.com> - 2013-03-07 10:51 -0800
                Re: An error when i switched from python v2.6.6 => v3.2.3 Joel Goldstick <joel.goldstick@gmail.com> - 2013-03-07 13:57 -0500
                Re: An error when i switched from python v2.6.6 => v3.2.3 Joel Goldstick <joel.goldstick@gmail.com> - 2013-03-07 14:36 -0500
                  Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 12:04 -0800
                    Re: An error when i switched from python v2.6.6 => v3.2.3 Ian Kelly <ian.g.kelly@gmail.com> - 2013-03-07 13:15 -0700
                      Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 16:57 -0800
                        Re: An error when i switched from python v2.6.6 => v3.2.3 Vito De Tullio <vito.detullio@gmail.com> - 2013-03-08 04:55 +0100
                          Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 22:54 -0800
                          Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 22:54 -0800
                          Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 22:56 -0800
                            Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-08 18:01 +1100
                              Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 02:51 -0800
                              Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 02:51 -0800
                          Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 22:56 -0800
                          Re: An error when i switched from python v2.6.6 => v3.2.3 Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-03-08 18:54 +0000
                            Re: An error when i switched from python v2.6.6 => v3.2.3 info@cravendot.gr - 2013-03-08 11:19 -0800
                              Re: An error when i switched from python v2.6.6 => v3.2.3 Ian Kelly <ian.g.kelly@gmail.com> - 2013-03-08 13:01 -0700
                                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 12:31 -0800
                                  Re: An error when i switched from python v2.6.6 => v3.2.3 Chris Angelico <rosuav@gmail.com> - 2013-03-09 08:37 +1100
                                    Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 19:18 -0800
                                      Re: An error when i switched from python v2.6.6 => v3.2.3 Mark Lawrence <breamoreboy@yahoo.co.uk> - 2013-03-09 03:27 +0000
                                      Re: An error when i switched from python v2.6.6 => v3.2.3 Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-03-09 05:05 +0000
                                        Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 23:56 -0800
                                          Re: An error when i switched from python v2.6.6 => v3.2.3 Mark Lawrence <breamoreboy@yahoo.co.uk> - 2013-03-09 12:43 +0000
                                            Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-09 06:16 -0800
                                            Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-09 06:16 -0800
                                              Re: An error when i switched from python v2.6.6 => v3.2.3 rusi <rustompmody@gmail.com> - 2013-03-09 07:20 -0800
                                    Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 19:18 -0800
                                  Re: An error when i switched from python v2.6.6 => v3.2.3 Ian Kelly <ian.g.kelly@gmail.com> - 2013-03-08 17:26 -0700
                                    Re: An error when i switched from python v2.6.6 => v3.2.3 nagia.retsina@gmail.com - 2013-03-08 19:15 -0800
                                    Re: An error when i switched from python v2.6.6 => v3.2.3 nagia.retsina@gmail.com - 2013-03-08 19:15 -0800
                                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 12:31 -0800
                              Re: An error when i switched from python v2.6.6 => v3.2.3 Ian Kelly <ian.g.kelly@gmail.com> - 2013-03-08 13:04 -0700
                            Re: An error when i switched from python v2.6.6 => v3.2.3 nagia.retsina@gmail.com - 2013-03-08 12:54 -0800
                              Re: An error when i switched from python v2.6.6 => v3.2.3 emile <emile@fenx.com> - 2013-03-08 14:13 -0800
                              Re: An error when i switched from python v2.6.6 => v3.2.3 Ian Kelly <ian.g.kelly@gmail.com> - 2013-03-08 17:18 -0700
                                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 19:17 -0800
                                  Re: An error when i switched from python v2.6.6 => v3.2.3 Mark Lawrence <breamoreboy@yahoo.co.uk> - 2013-03-09 03:33 +0000
                                Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-08 19:17 -0800
                      Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 16:57 -0800
                  Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 12:04 -0800
              Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 07:57 -0800
          Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 07:26 -0800
        Re: An error when i switched from python v2.6.6 => v3.2.3 John Gordon <gordon@panix.com> - 2013-03-07 15:55 +0000
          Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 08:00 -0800
            Re: An error when i switched from python v2.6.6 => v3.2.3 Νίκος Γκρ33κ <nikos.gr33k@gmail.com> - 2013-03-07 08:22 -0800
              Re: An error when i switched from python v2.6.6 => v3.2.3 Joel Goldstick <joel.goldstick@gmail.com> - 2013-03-07 12:41 -0500
              Re: An error when i switched from python v2.6.6 => v3.2.3 Joel Goldstick <joel.goldstick@gmail.com> - 2013-03-07 13:50 -0500

Page 4 of 4 — ← Prev page 1 2 3 [4]

#40912

On Fri, Mar 8, 2013 at 1:31 PM, Νίκος Γκρ33κ <nikos.gr33k@gmail.com> wrote:
> Thank you very much for pointing my flaws once again!
>
> I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!
>
> I have added extra security by following some of your advice, i wonder if youc an hack it again!
>
> Fell free to try if i'am not tiring you please!

That seems to be better, although I want to stress that I did not try
very hard.  It's possible that somebody with more patience and
imagination than myself might still find a way to fool your
validation.

[toc] | [prev] | [next] | [standalone]

#40917

Τη Σάββατο, 9 Μαρτίου 2013 2:26:56 π.μ. UTC+2, ο χρήστης Ian έγραψε:
> On Fri, Mar 8, 2013 at 1:31 PM, Νίκος Γκρ33κ <nikos.gr33k@gmail.com> wrote:
> 
> > Thank you very much for pointing my flaws once again!
> 
> >
> 
> > I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!
> 
> >
> 
> > I have added extra security by following some of your advice, i wonder if youc an hack it again!
> 
> >
> 
> > Fell free to try if i'am not tiring you please!
> 
> 
> 
> That seems to be better, although I want to stress that I did not try
> 
> very hard.  It's possible that somebody with more patience and
> 
> imagination than myself might still find a way to fool your
> 
> validation.

I'am glad the script has been made more secure after of course you enilghten me and i followed your advice. Here is what i did:


# detect how 'index.html' is called and validate values of 'htmlpage' & 'page'
if page and os.path.isfile( '/home/nikos/www/cgi-bin/' + page ):
	page = page
elif form.getvalue('show') and os.path.isfile( htmlpage ):
	page = htmlpage.replace( '/home/nikos/public_html/', '' )
else:
	page = 'index.html'

Now that you have the if structure's logic can you *still* fool the script?

[toc] | [prev] | [next] | [standalone]

#40918

Τη Σάββατο, 9 Μαρτίου 2013 2:26:56 π.μ. UTC+2, ο χρήστης Ian έγραψε:
> On Fri, Mar 8, 2013 at 1:31 PM, Νίκος Γκρ33κ <nikos.gr33k@gmail.com> wrote:
> 
> > Thank you very much for pointing my flaws once again!
> 
> >
> 
> > I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!
> 
> >
> 
> > I have added extra security by following some of your advice, i wonder if youc an hack it again!
> 
> >
> 
> > Fell free to try if i'am not tiring you please!
> 
> 
> 
> That seems to be better, although I want to stress that I did not try
> 
> very hard.  It's possible that somebody with more patience and
> 
> imagination than myself might still find a way to fool your
> 
> validation.

I'am glad the script has been made more secure after of course you enilghten me and i followed your advice. Here is what i did:


# detect how 'index.html' is called and validate values of 'htmlpage' & 'page'
if page and os.path.isfile( '/home/nikos/www/cgi-bin/' + page ):
	page = page
elif form.getvalue('show') and os.path.isfile( htmlpage ):
	page = htmlpage.replace( '/home/nikos/public_html/', '' )
else:
	page = 'index.html'

Now that you have the if structure's logic can you *still* fool the script?

[toc] | [prev] | [next] | [standalone]

#40898

Τη Παρασκευή, 8 Μαρτίου 2013 10:01:59 μ.μ. UTC+2, ο χρήστης Ian έγραψε:
> On Fri, Mar 8, 2013 at 12:19 PM,  <info@cravendot.gr> wrote:
> 
> > I dare anyone who wants to to mess with 'htmlpage' variable value's now!
> 
> >
> 
> > I made it unhackable i believe!
> 
> >
> 
> > I'am testing it myself 3 hours now and find it safe!
> 
> >
> 
> > Please feel free to try also!
> 
> 
> 
> Okay, done.  I was still able to read your source files, and I was
> 
> still able to write a file to your webserver.  All I had to do was
> 
> change 'htmlpage' to 'page' in the example URLs I sent you before.
> 
> Validating the 'htmlpage' field does nothing if you also switch the
> 
> dispatch to the 'page' field.
> 
> 
> 
> And as far as the validation goes, from what I can see in the source,
> 
> it looks like you're just checking whether the string '.html' appears
> 
> in it somewhere.  It's not hard at all to craft a malicious page
> 
> request that meets that.
> 
> 
> 
> As a start, try checking that the file actually exists before doing
> 
> anything with it, and that it is in one of the directories used by
> 
> your web server.

Thank you very much for pointing my flaws once again!

I cant beleive how easy you hacked the webserver again and be able to read my cgi scripts source and write to cgi-bin too!

I have added extra security by following some of your advice, i wonder if youc an hack it again!

Fell free to try if i'am not tiring you please!

[toc] | [prev] | [next] | [standalone]

#40895

On Fri, Mar 8, 2013 at 1:01 PM, Ian Kelly <ian.g.kelly@gmail.com> wrote:
> On Fri, Mar 8, 2013 at 12:19 PM,  <info@cravendot.gr> wrote:
>> I dare anyone who wants to to mess with 'htmlpage' variable value's now!
>>
>> I made it unhackable i believe!
>>
>> I'am testing it myself 3 hours now and find it safe!
>>
>> Please feel free to try also!
>
> Okay, done.  I was still able to read your source files, and I was
> still able to write a file to your webserver.  All I had to do was
> change 'htmlpage' to 'page' in the example URLs I sent you before.
> Validating the 'htmlpage' field does nothing if you also switch the
> dispatch to the 'page' field.
>
> And as far as the validation goes, from what I can see in the source,
> it looks like you're just checking whether the string '.html' appears
> in it somewhere.  It's not hard at all to craft a malicious page
> request that meets that.
>
> As a start, try checking that the file actually exists before doing
> anything with it, and that it is in one of the directories used by
> your web server.

os.path.isfile will help with the former, while os.path.realname and
os.path.dirname will help with the latter.

[toc] | [prev] | [next] | [standalone]

#40900

Τη Παρασκευή, 8 Μαρτίου 2013 8:54:15 μ.μ. UTC+2, ο χρήστης Steven D'Aprano έγραψε:

> >>> -c ''; rm -rf /; oops.py

> Please don't tell the newbies to destroy their system, no matter how 
> tempting it might be.

What that "-c ''" options i keep seeing in the attempts to pass bogus info in my 'page' variable?

And hows oops.py relevant? Such file doesnt nto exist in my webssever.

[toc] | [prev] | [next] | [standalone]

#40908

On 03/08/2013 12:54 PM, nagia.retsina@gmail.com wrote:
> Τη Παρασκευή, 8 Μαρτίου 2013 8:54:15 μ.μ. UTC+2, ο χρήστης Steven D'Aprano έγραψε:
>
>>>>> -c ''; rm -rf /; oops.py
>
>> Please don't tell the newbies to destroy their system, no matter how
>> tempting it might be.
>
> What that "-c ''" options i keep seeing in the attempts to pass bogus info in my 'page' variable?
>
> And hows oops.py relevant? Such file doesnt nto exist in my webssever.
>


You're certainly right about that -- particularly by the time it's 
attempted.  :)

Emile

[toc] | [prev] | [next] | [standalone]

#40911

On Fri, Mar 8, 2013 at 1:54 PM,  <nagia.retsina@gmail.com> wrote:
> Τη Παρασκευή, 8 Μαρτίου 2013 8:54:15 μ.μ. UTC+2, ο χρήστης Steven D'Aprano έγραψε:
>
>> >>> -c ''; rm -rf /; oops.py
>
>> Please don't tell the newbies to destroy their system, no matter how
>> tempting it might be.
>
> What that "-c ''" options i keep seeing in the attempts to pass bogus info in my 'page' variable?
>
> And hows oops.py relevant? Such file doesnt nto exist in my webssever.

The command that gets run is "python %s > %s", where the page variable
is substituted in for the first %s.  If you perform that substitution,
you will get:

python -c ''; rm -rf /; oops.py > /path/to/some/temp/file

So the -c is an option to Python.  It means that instead of reading a
script, Python should run commands passed on the command line in the
next argument.  That's the ''.  It's empty, so what this instructs
Python is to do nothing at all.

The second command in this shell script is "rm -rf /".  I assume you
know what that would do.

The third command is "oops.py > /path/to/some/tempfile".  The fact
that oops.py does not exist is not important, because the attacker
does not care what this command does.  The payload of the attack was
already delivered in the second command.  The only reason for this is
because it ends in .py, which is what the web server is looking for
when deciding whether to run a script.  The word "oops" here is just
for levity.

[toc] | [prev] | [next] | [standalone]

#40919

Τη Σάββατο, 9 Μαρτίου 2013 2:18:42 π.μ. UTC+2, ο χρήστης Ian έγραψε:

> So the -c is an option to Python.  It means that instead of reading a
> script, Python should run commands passed on the command line in the
> next argument.  That's the ''.  It's empty, so what this instructs 
> Python is to do nothing at all.
> The second command in this shell script is "rm -rf /".  I assume you
> know what that would do.

Thank you for explaining but i'am not sure i ahve understand this part.
Can you please elaborate more?

[toc] | [prev] | [next] | [standalone]

#40923

On 09/03/2013 03:17, Νίκος Γκρ33κ wrote:
> Τη Σάββατο, 9 Μαρτίου 2013 2:18:42 π.μ. UTC+2, ο χρήστης Ian έγραψε:
>
>> So the -c is an option to Python.  It means that instead of reading a
>> script, Python should run commands passed on the command line in the
>> next argument.  That's the ''.  It's empty, so what this instructs
>> Python is to do nothing at all.
>> The second command in this shell script is "rm -rf /".  I assume you
>> know what that would do.
>
> Thank you for explaining but i'am not sure i ahve understand this part.
> Can you please elaborate more?
>

I confess to knowing very little about *nix commands, but I believe the 
second command referenced above does something like delete everything on 
your hard drive.  Not that this is a problem as your improved security 
ensures that this can't happen, doesn't it?

-- 
Cheers.

Mark Lawrence

[toc] | [prev] | [next] | [standalone]

#40927

Τη Σάββατο, 9 Μαρτίου 2013 2:18:42 π.μ. UTC+2, ο χρήστης Ian έγραψε:

> So the -c is an option to Python.  It means that instead of reading a
> script, Python should run commands passed on the command line in the
> next argument.  That's the ''.  It's empty, so what this instructs 
> Python is to do nothing at all.
> The second command in this shell script is "rm -rf /".  I assume you
> know what that would do.

Thank you for explaining but i'am not sure i ahve understand this part.
Can you please elaborate more?

[toc] | [prev] | [next] | [standalone]

#40840

Τη Πέμπτη, 7 Μαρτίου 2013 10:15:11 μ.μ. UTC+2, ο χρήστης Ian έγραψε:
> On Thu, Mar 7, 2013 at 1:04 PM, Νίκος Γκρ33κ <nikos.gr33k@gmail.com> wrote:
> 
> > Τη Πέμπτη, 7 Μαρτίου 2013 9:36:33 μ.μ. UTC+2, ο χρήστης Joel Goldstick έγραψε:
> 
> >
> 
> >>  So, I see you fixed the problem.  How?
> 
> >
> 
> > Apart from appearing ugly its not causing any more trouble(other than some issues that i have fixed), so i will just d:
> 
> >
> 
> >         os.system( 'python %s > %s' % (htmlpage, temp) )
> 
> >         f = open( temp )
> 
> >         htmldata = f.read()
> 
> >         htmldata = htmldata.replace( 'Content-type: text/html; charset=utf-8', '' )
> 
> 
> 
> If htmlpage is being pulled from the HTTP request as I think it is,
> 
> then you have a code injection vulnerability here.  Think what could
> 
> happen if htmlpage were something like this:
> 
> 
> 
> -c ''; rm -rf /; oops.py

Yes its being pulled by http request!

But please try to do it, i dont think it will work!

[toc] | [prev] | [next] | [standalone]

#40816

Τη Πέμπτη, 7 Μαρτίου 2013 9:36:33 μ.μ. UTC+2, ο χρήστης Joel Goldstick έγραψε:

>  So, I see you fixed the problem.  How?

Apart from appearing ugly its not causing any more trouble(other than some issues that i have fixed), so i will just d:

        os.system( 'python %s > %s' % (htmlpage, temp) )
        f = open( temp )
        htmldata = f.read()
        htmldata = htmldata.replace( 'Content-type: text/html; charset=utf-8', '' )

[toc] | [prev] | [next] | [standalone]

#40794

Τη Πέμπτη, 7 Μαρτίου 2013 5:33:10 μ.μ. UTC+2, ο χρήστης Chris Angelico έγραψε:

> You can figure it out, but it will take some effort. I will not
> 
> enlighten you further. The documentation is all there; the answers are
> 
> available.

I found it! I have placed 'htmltemp' within the os.system() call. Otherwise, os.system() returns a return value (int) which python then tries to concatenate with htmltemp (string).

os.system( 'python metrites.py > %s' % htmltemp )

:-)

[toc] | [prev] | [next] | [standalone]

#40789

Τη Πέμπτη, 7 Μαρτίου 2013 5:13:24 μ.μ. UTC+2, ο χρήστης Chris Angelico έγραψε:
> On Fri, Mar 8, 2013 at 2:01 AM, Νίκος Γκρ33κ <nikos.gr33k@gmail.com> wrote:
> 
> > os.system( 'python metrites.py > %s' ) % htmltemp
> 
> 
> 
> Manually step through what this line should do. Follow the exact same
> 
> rules Python will follow in evaluating this expression.
> 
> 
> 
> http://docs.python.org/2/reference/expressions.html#operator-precedence
> 
> http://docs.python.org/3/reference/expressions.html#operator-precedence
> 
> 
> 
> As you'll see from footnote 8 or 5 (depending on which version of the
> 
> docs), your percent operator is the same one listed in the table as a
> 
> division operator.
> 
> 
> 
> Now. Go through that expression, step by step. Walk through everything
> 
> the Python interpreter does. Figure out exactly what happens first,
> 
> second, third. Figure out when your percent operator gets handled.
> 
> Then you'll know what's wrong with that line of code.
> 
> 
> 
> You'll also gain a very useful understanding of Python, and more
> 
> generally of the way most high level languages parse expressions.
> 
> 
> 
> ChrisA

I'am sorry to say i cant figure this out :(
please enlight me.

[toc] | [prev] | [next] | [standalone]

#40790

In <c2a09443-3c74-477b-af9f-a6f3473ebe88@googlegroups.com> =?ISO-8859-7?B?zd/q7/Igw+rxMzPq?= <nikos.gr33k@gmail.com> writes:

> Switching back to:

> 		os.system( 'python metrites.py > %s' ) % htmltemp
> 		f =3D open( htmltemp )
> 		htmldata =3D f.read()=09

> but still donse see what iam doing wrong.....

You have the close-parentheses in the wrong place.  The line should be:

    os.system( 'python metrites.py > %s' % htmltemp )

-- 
John Gordon                   A is for Amy, who fell down the stairs
gordon@panix.com              B is for Basil, assaulted by bears
                                -- Edward Gorey, "The Gashlycrumb Tinies"

[toc] | [prev] | [next] | [standalone]

#40792

Τη Πέμπτη, 7 Μαρτίου 2013 5:55:58 μ.μ. UTC+2, ο χρήστης John Gordon έγραψε:
> In <c2a09443-3c74-477b-af9f-a6f3473ebe88@googlegroups.com> =?ISO-8859-7?B?zd/q7/Igw+rxMzPq?= <nikos.gr33k@gmail.com> writes:
> 
> 
> 
> > Switching back to:
> 
> 
> 
> > 		os.system( 'python metrites.py > %s' ) % htmltemp
> 
> > 		f =3D open( htmltemp )
> 
> > 		htmldata =3D f.read()=09
> 
> 
> 
> > but still donse see what iam doing wrong.....
> 
> 
> 
> You have the close-parentheses in the wrong place.  The line should be:
> 
> 
> 
>     os.system( 'python metrites.py > %s' % htmltemp )
> 
> 
> 
> -- 
> 
> John Gordon                   A is for Amy, who fell down the stairs
> 
> gordon@panix.com              B is for Basil, assaulted by bears
> 
>                                 -- Edward Gorey, "The Gashlycrumb Tinies"

Yes thank you, i found it myself and moment later i also saw your post!
I'am very excites i discoverd it myself!

Now instead of receiving proper html output i receive this:

Go to http://superhost.gr please and click the 1st image you see on the top.
Instead for the pelatologio.py html output to appear + counter string

i see weird formatting, if you want please take a look.

[toc] | [prev] | [next] | [standalone]

#40800

I have fixed this!
Still ahve allok and you will see that in both of my images they appear in the firstpage of superhost.gr

the output of .py files appear fine except of that ehen a visitor click on my first 2 image links he also sees as first line this:

print ( "Content-type: text/html; charset=utf-8\n" )

this is because the above code is a header and its contained to every cgi .py file that i generate html ouput from via os.system()

Can this be somehow eliminated?

[toc] | [prev] | [next] | [standalone]

#40805

[Multipart message — attachments visible in raw view] — view raw

On Thu, Mar 7, 2013 at 11:22 AM, Νίκος Γκρ33κ <nikos.gr33k@gmail.com> wrote:

> I have fixed this!
> Still ahve allok and you will see that in both of my images they appear in
> the firstpage of superhost.gr
>
> the output of .py files appear fine except of that ehen a visitor click on
> my first 2 image links he also sees as first line this:
>
> print ( "Content-type: text/html; charset=utf-8\n" )
>
> this is because the above code is a header and its contained to every cgi
> .py file that i generate html ouput from via os.system()
>
> Can this be somehow eliminated?
> --
>

That page is not valid html.  View the source in your browser to see -- it
has no <html> tag, no <head>, no <body>.  fix that stuff

> http://mail.python.org/mailman/listinfo/python-list
>



-- 
Joel Goldstick
http://joelgoldstick.com

[toc] | [prev] | [next] | [standalone]

#40808

[Multipart message — attachments visible in raw view] — view raw

On Thu, Mar 7, 2013 at 12:41 PM, Joel Goldstick <joel.goldstick@gmail.com>wrote:

>
>
>
> On Thu, Mar 7, 2013 at 11:22 AM, Νίκος Γκρ33κ <nikos.gr33k@gmail.com>wrote:
>
>> I have fixed this!
>> Still ahve allok and you will see that in both of my images they appear
>> in the firstpage of superhost.gr
>>
>> the output of .py files appear fine except of that ehen a visitor click
>> on my first 2 image links he also sees as first line this:
>>
>> print ( "Content-type: text/html; charset=utf-8\n" )
>>
>> this is because the above code is a header and its contained to every cgi
>> .py file that i generate html ouput from via os.system()
>>
>> Can this be somehow eliminated?
>>
>
This may have to do with the configuration of your server.  There may be
differences in how to do that for python 2.x and python 3.x.  I can't help
you more than that


> --
>>
>
> That page is not valid html.  View the source in your browser to see -- it
> has no <html> tag, no <head>, no <body>.  fix that stuff
>
>> http://mail.python.org/mailman/listinfo/python-list
>>
>
>
>
> --
> Joel Goldstick
> http://joelgoldstick.com
>



-- 
Joel Goldstick
http://joelgoldstick.com

[toc] | [prev] | [standalone]

Page 4 of 4 — ← Prev page 1 2 3 [4]

Back to top | Article view | comp.lang.python

csiph-web