Programming Forums > Script Programming > Python

Sane · Mar 17th, 2007, 12:40 PM

If I have a program that will download (textual) content based on what a client tells me to download, what kind of safety should I be concerned about?

My biggest concern was first that I shouldn't let them tell me to access anything in the local network. So I should filter out 127.0.0.1 and 192.168.X.X(X). However I've also seen 10.174.X.X(X) used for business networks, and am not exactly sure what else is possible. What's the best way to securely filter out downloading local content?

If I manually check the address with something like:

(Toggle Plain Text)

        if url[:7].lower() == 'http://':
            url = url[7:]

        if url[:9] == '127.0.0.1' or url[:5].lower() == 'local':
            return self.response['values']

Not only is that pretty ugly (and not looking too promising), but do I risk the user being able to spoof localhost by other means? Could he possibly leave a space ("l ocal") or something else?

Can downloading textual content lead to any client-side side-effects?

Finally, can malicious code be pushed into urllib2.Request, such as the problem with eval with input?

Mar 17th, 2007, 12:40 PM	#1
Sane Programming Guru Join Date: Apr 2005 Location: Waterloo, Ontario Posts: 1,835 Rep Power: 5	Networking - Safety Concern If I have a program that will download (textual) content based on what a client tells me to download, what kind of safety should I be concerned about? My biggest concern was first that I shouldn't let them tell me to access anything in the local network. So I should filter out 127.0.0.1 and 192.168.X.X(X). However I've also seen 10.174.X.X(X) used for business networks, and am not exactly sure what else is possible. What's the best way to securely filter out downloading local content? If I manually check the address with something like: (Toggle Plain Text) if url[:7].lower() == 'http://': url = url[7:] if url[:9] == '127.0.0.1' or url[:5].lower() == 'local': return self.response['values'] if url[:7].lower() == 'http://': url = url[7:] if url[:9] == '127.0.0.1' or url[:5].lower() == 'local': return self.response['values'] Not only is that pretty ugly (and not looking too promising), but do I risk the user being able to spoof localhost by other means? Could he possibly leave a space ("l ocal") or something else? Can downloading textual content lead to any client-side side-effects? Finally, can malicious code be pushed into urllib2.Request, such as the problem with eval with input? __________________ Waterloo's Canadian Computing Competition (CCC) - Stage 2 Problems, Solutions, and Test Data

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Switch to Hybrid Mode Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
To Networking GODs and GURUs, Is this possible?	thrasherx	Project Ideas	4	Oct 31st, 2006 10:00 PM
C++ Networking Question	MorphysGhost	C++	5	Apr 22nd, 2006 11:21 AM
java networking tutorials	Brent	Java	2	Aug 31st, 2005 9:29 AM
Networking in vb.net	BrianN	Visual Basic	2	Aug 15th, 2005 5:57 PM
networking in VB	Brent	Visual Basic	1	Aug 4th, 2005 10:17 AM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Programming Forums > Script Programming > Python

Networking - Safety Concern