how to protect directory traversal in mod_python based custom apps
Graham Dumpleton
Graham.Dumpleton at gmail.com
Tue Dec 25 20:12:06 EST 2007
On Dec 24, 10:34 pm, "Ravi Kumar" <ra2... at gmail.com> wrote:
> hi :)
> I was trying to develop a custommod_pythonbased web-site, just
> today. the problem I got
> though i liked themod_python'sfeature of mapping and calling
> functions in python script by parsing the url.
> I mean,http://localhost/site/member/list?no=100
>
> would call site/member.py page's function list with arguments no=100.
> Thats a feature i liked.
> But PROBLEM 01:
> i have included in index.py a css link to say something media/base.css
> now when same page comes with URL index.py/index the URL becomes
> false. I am finding some better way to overcome this.
> Placing all CSS as static served is not a good idea,(like if CSS is
> dynamically generated).
> So according to you, what should be a better approach to this problem.
The mod_python.publisher code is arguably broken in the way it handles
the trailing slash problem.
For some discussion on the issue see:
http://www.modpython.org/pipermail/mod_python/2006-March/020501.html
This includes some code which might be modified and used in a stack
handler arrangement to give you a relative anchor point to use on
URLs.
> PROBLEM 02:
> How can I prevent directory traversal.
> Take the case, i have five subdirs in dir 'site' named :
> components
> modules
> config
> templates
>
> and a file loader.py
>
> when a request comes as loader.py/pagename?renderType=xhtml
> it would call the function pagename which loads the pages from subdir
> 'templates' resolves the added components in pages from subdir
> 'components' where components uses custom modules from 'modules' and
> so on. Configuration subdir contains various configuration files in
> .py and .xml
>
> I don't want visitors to traverse and get list of all those subdirs.
> Those sub-dirs actually should no way be traversable online.
> Though I can prevent it using apache .htaccess and access directives
> in apache config.
>
> But many hosting server, apache config can't be edited (or maybe some
> situation). Then how can i block traversing the directory (what sort
> of implementation)
> Referring to CodeIgnitor PHP Framework, they places index.php in every
> dir. thats doesn't seem a good idea, and if a person calls the pages
> providing the right path, they are able to execute files in the
> framework, though since those configs and other files doesn't return
> anything, tere is no result.
If the ISP gives you some directory space which isn't part of the
exposed document tree, then simply move those subdirectories from the
document tree outside to the additional space you have. Then refer to
the files from there.
If you can't do that because the document tree is all you have, then
one remaining hack is to rename all the files in the subdirectories to
begin with '.ht' prefix. This would generally work as default Apache
configuration is to forbid access to any files starting with '.ht'
prefix.
Graham
More information about the Python-list
mailing list