Why exception from os.path.exists()?
Chris Angelico
rosuav at gmail.com
Thu Jun 7 08:46:09 EDT 2018
On Thu, Jun 7, 2018 at 10:18 PM, Steven D'Aprano
<steve+comp.lang.python at pearwood.info> wrote:
> On Thu, 07 Jun 2018 13:47:07 +0300, Marko Rauhamaa wrote:
>
>> Chris Angelico <rosuav at gmail.com>:
>>
>>> On Thu, Jun 7, 2018 at 7:29 PM, Marko Rauhamaa <marko at pacujo.net>
>>> wrote:
>>>> 3. http://localhost:8000/te%00st.html
>>>>
>>>> => The server crashes with a ValueError and the TCP connection is
>>>> reset
>>>>
>>>>
>>> Actually, I couldn't even get Chrome to make that request, so it
>>> obviously was considered by the browser to be invalid.
>>
>> Wow! Why on earth?
>
> It works in Firefox, but Apache truncates the URL:
>
>
> Not Found
> The requested URL /te was not found on this server.
>
>
> instead of te%00st.html
>
> I wonder how many publicly facing web servers can be induced to either
> crash, or serve the wrong content, this way?
>
Define "serve the wrong content". You could get the exact same content
by asking for "te" instead of "te%00st.html"; what you've done is not
significantly different from this:
http://localhost:8000/te?st.html
Is that a security problem too?
ChrisA
More information about the Python-list
mailing list