|
PyCherry Help? Is this safe?
I have a page that will take the GET parmater "filename" append it to the current working directory, then the downloads folder. And send a download attatchment for that file.
http://jammersbase.ath.cx/download?f...e=oxygene4.mid Is there any way somebody could manipulate this by possibly lowering a directory then downloading main.py or something to gain access to my source? I think I may have made it safe by making oxygene4 in a folder up from the main folder, because if they used a / to go up a folder, it will think you're looking for the folder oxygene4. Meh, I think I'm just babbling. Exploits anyone? |
|
Heh. Just make sure the GET string you receive has no wacko characters in it - I tend to just only allow alphanumerics, underscores, dashes, and single dots
:
s = "../.../bar" |
Or use "os.path.basename". That should make things safe enough.
|
Quote:
|
Lol, you haven't looked at the sensitive content in the file yet :-)
|
omg GAH... >_<;;;;
People could use that to find the secret salt password, or open up people's user data files. @_@ *quickly rushes to solve problem* |
The occassional security issue aside, your site's looking pretty good, Sane. I was rather impressed with how far it's come along since you first started work on it. :)
|
Meh. Designing it was easy.
It's still the exact same site, just with the layout changed. The only reason it looked like crap before was because it was just temporary. >_> |
I liked the bit in the source saying:
adminpass = "passwordhere" lol :-) |
| All times are GMT -5. The time now is 1:10 PM. |
Powered by vBulletin® Version 3.7.0, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2007 DaniWeb® LLC