Is using os.path.abspath to validate an untrusted filename's location secure?
Posted
by mcmt
on Stack Overflow
See other posts from Stack Overflow
or by mcmt
Published on 2010-04-19T00:25:46Z
Indexed on
2010/04/19
0:53 UTC
Read the original article
Hit count: 292
I don't think I'm missing anything. Then again I'm kind of a newbie.
def GET(self, filename):
name = urllib.unquote(filename)
full = path.abspath(path.join(STATIC_PATH, filename))
#Make sure request is not tricksy and tries to get out of
#the directory, e.g. filename = "../.ssh/id_rsa". GET OUTTA HERE
assert full[:len(STATIC_PATH)] == STATIC_PATH, "bad path"
return open(full).read()
Edit: I realize this will return the wrong HTTP error code if the file doesn't exist (at least under web.py). I will fix this.
© Stack Overflow or respective owner