[EMAIL PROTECTED] wrote:
> Clodoaldo Pinto Neto wrote:
>
> > print '<p>The submited name was "' + name + '"</p>'
>
> Bzzt! Script injection security hole. See cgi.escape and use it (or a
> similar function) for *all* text -> HTML output.
>
> > open('files/' + fileitem.filename, 'w')
>
> BZZZZZZT. filesystem overwriting security hole, possibly escalatable to
> code execution. clue: fileitem.filename= '../../something.py'Do you think os.path.basename() is good enough? ======================== #!/usr/bin/env python import cgi, os.path form = cgi.FieldStorage() fileitem = form['file'] fn = fileitem.filename fnb = os.path.basename(fn) print """\ Content-Type: text/plain\n filename = "%s" basename = "%s" """ % (fn, fnb) ======================== [EMAIL PROTECTED] ~]$ nc teste.s0 80 POST /cgi-bin/dir_traversal.py HTTP/1.1 Host: teste.s0 Content-Type: multipart/form-data; boundary=---------------------------170451527316340742161395972977 Content-Length: 226 -----------------------------170451527316340742161395972977 Content-Disposition: form-data; name="file"; filename="../test.txt" Content-Type: text/plain file text -----------------------------170451527316340742161395972977-- HTTP/1.1 200 OK Date: Fri, 06 Oct 2006 20:48:58 GMT Server: Apache/2.2.2 (Fedora) Content-Length: 48 Content-Type: text/plain; charset=UTF-8 filename = "../test.txt" basename = "test.txt" Regards, Clodoaldo -- http://mail.python.org/mailman/listinfo/python-list
