|
|
 |
|
|
Thread Tools | Display Modes |
Jan 24th, 2006, 12:25 AM
|
#1 |
|
Programming Guru
 
Join Date: Apr 2005
Posts: 1,799
Rep Power: 5
 |
PyCherry Help? Is this safe?
I have a page that will take the GET parmater "filename" append it to the current working directory, then the downloads folder. And send a download attatchment for that file.
http://jammersbase.ath.cx/download?f...e=oxygene4.mid Is there any way somebody could manipulate this by possibly lowering a directory then downloading main.py or something to gain access to my source? I think I may have made it safe by making oxygene4 in a folder up from the main folder, because if they used a / to go up a folder, it will think you're looking for the folder oxygene4. Meh, I think I'm just babbling. Exploits anyone? |
|
|
|
Jan 24th, 2006, 2:37 AM
|
#2 |
|
Programming Guru
Join Date: Aug 2005
Location: England
Posts: 1,499
Rep Power: 4
|
|
|
|
|
|
Jan 24th, 2006, 8:36 AM
|
#3 |
|
Professional Programmer
Join Date: Apr 2005
Location: London, England
Posts: 459
Rep Power: 4
|
Heh. Just make sure the GET string you receive has no wacko characters in it - I tend to just only allow alphanumerics, underscores, dashes, and single dots
s = "../.../bar"
while s.count(".."):
s = s.replace("..", ".")
# s == "././bar", aka "bar" |
|
|
|
|
Jan 24th, 2006, 8:42 AM
|
#4 |
|
Programming Guru
Join Date: Aug 2005
Location: England
Posts: 1,499
Rep Power: 4
|
Or use "os.path.basename". That should make things safe enough.
|
|
|
|
|
Jan 24th, 2006, 8:57 AM
|
#5 | |
|
The Oblivious One
Join Date: May 2005
Location: Ontario, Canada
Posts: 630
Rep Power: 4
|
Quote:
__________________
Dr. Zoidberg: [ecstatic] I'm going to a movie... with FRIENDS! |
|
|
|
|
|
Jan 24th, 2006, 10:31 AM
|
#6 |
|
Expert Programmer
Join Date: Aug 2005
Location: UK
Posts: 862
Rep Power: 3
  |
Lol, you haven't looked at the sensitive content in the file yet :-)
__________________
Join us at #programmingforums @ irc.freenode.net! My software never has bugs. It just develops random features.
|
|
|
|
|
Jan 24th, 2006, 1:16 PM
|
#7 |
|
Programming Guru
Join Date: Apr 2005
Posts: 1,799
Rep Power: 5
|
omg GAH... >_<;;;;
People could use that to find the secret salt password, or open up people's user data files. @_@ *quickly rushes to solve problem* |
|
|
|
|
Jan 24th, 2006, 2:32 PM
|
#8 |
|
Programming Guru
Join Date: Aug 2005
Location: England
Posts: 1,499
Rep Power: 4
|
The occassional security issue aside, your site's looking pretty good, Sane. I was rather impressed with how far it's come along since you first started work on it.
 |
|
|
|
|
Jan 24th, 2006, 3:29 PM
|
#9 |
|
Programming Guru
Join Date: Apr 2005
Posts: 1,799
Rep Power: 5
|
Meh. Designing it was easy.
It's still the exact same site, just with the layout changed. The only reason it looked like crap before was because it was just temporary. >_> |
|
|
|
|
Jan 24th, 2006, 3:55 PM
|
#10 |
|
Expert Programmer
Join Date: Aug 2005
Location: UK
Posts: 862
Rep Power: 3
|
I liked the bit in the source saying:
adminpass = "passwordhere" lol :-)
__________________
Join us at #programmingforums @ irc.freenode.net! My software never has bugs. It just develops random features.
|
|
|
|
|
| Bookmarks |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
