Does this introduce security vulnerabilities?
Posted
by mcmt
on Stack Overflow
See other posts from Stack Overflow
or by mcmt
Published on 2010-04-19T00:25:46Z
Indexed on
2010/04/19
0:33 UTC
Read the original article
Hit count: 268
I don't think I'm missing anything. Then again I'm kind of a newbie.
def GET(self, filename):
name = urllib.unquote(filename)
full = path.abspath(path.join(STATIC_PATH, filename))
#Make sure request is not tricksy and tries to get out of
#the directory, e.g. filename = "../.ssh/id_rsa". GET OUTTA HERE
assert full[:len(STATIC_PATH)] == STATIC_PATH, "bad path"
return open(full).read()
© Stack Overflow or respective owner