If I have a program that will download (textual) content based on what a client tells me to download, what kind of safety should I be concerned about?
My biggest concern was first that I shouldn't let them tell me to access anything in the local network. So I should filter out 127.0.0.1 and 192.168.X.X(X). However I've also seen 10.174.X.X(X) used for business networks, and am not exactly sure what else is possible. What's the best way to securely filter out downloading local content?
If I manually check the address with something like:
if url[:7].lower() == 'http://':
url = url[7:]
if url[:9] == '127.0.0.1' or url[:5].lower() == 'local':
return self.response['values'] Not only is that pretty ugly (and not looking too promising), but do I risk the user being able to spoof localhost by other means? Could he possibly leave a space ("l ocal") or something else?
Can downloading textual content lead to any client-side side-effects?
Finally, can malicious code be pushed into urllib2.Request, such as the problem with eval with input?