Τη Σάββατο, 9 Μαρτίου 2013 2:26:56 π.μ. UTC+2, ο χρήστης Ian έγραψε:
> On Fri, Mar 8, 2013 at 1:31 PM, Νίκος Γκρ33κ <nikos.gr...@gmail.com> wrote:
> 
> > Thank you very much for pointing my flaws once again!
> 
> >
> 
> > I cant beleive how easy you hacked the webserver again and be able to read 
> > my cgi scripts source and write to cgi-bin too!
> 
> >
> 
> > I have added extra security by following some of your advice, i wonder if 
> > youc an hack it again!
> 
> >
> 
> > Fell free to try if i'am not tiring you please!
> 
> 
> 
> That seems to be better, although I want to stress that I did not try
> 
> very hard.  It's possible that somebody with more patience and
> 
> imagination than myself might still find a way to fool your
> 
> validation.

I'am glad the script has been made more secure after of course you enilghten me 
and i followed your advice. Here is what i did:


# detect how 'index.html' is called and validate values of 'htmlpage' & 'page'
if page and os.path.isfile( '/home/nikos/www/cgi-bin/' + page ):
        page = page
elif form.getvalue('show') and os.path.isfile( htmlpage ):
        page = htmlpage.replace( '/home/nikos/public_html/', '' )
else:
        page = 'index.html'

Now that you have the if structure's logic can you *still* fool the script?
-- 
http://mail.python.org/mailman/listinfo/python-list

Reply via email to