471,337 Members | 941 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,337 software developers and data experts.

how to protect directory traversal in mod_python based custom apps

hi :)
I was trying to develop a custom mod_python based web-site, just
today. the problem I got
though i liked the mod_python's feature of mapping and calling
functions in python script by parsing the url.
I mean, http://localhost/site/member/list?no=100

would call site/member.py page's function list with arguments no=100.
Thats a feature i liked.
But PROBLEM 01:
i have included in index.py a css link to say something media/base.css
now when same page comes with URL index.py/index the URL becomes
false. I am finding some better way to overcome this.
Placing all CSS as static served is not a good idea,(like if CSS is
dynamically generated).
So according to you, what should be a better approach to this problem.
PROBLEM 02:
How can I prevent directory traversal.
Take the case, i have five subdirs in dir 'site' named :
components
modules
config
templates

and a file loader.py

when a request comes as loader.py/pagename?renderType=xhtml
it would call the function pagename which loads the pages from subdir
'templates' resolves the added components in pages from subdir
'components' where components uses custom modules from 'modules' and
so on. Configuration subdir contains various configuration files in
..py and .xml

I don't want visitors to traverse and get list of all those subdirs.
Those sub-dirs actually should no way be traversable online.
Though I can prevent it using apache .htaccess and access directives
in apache config.

But many hosting server, apache config can't be edited (or maybe some
situation). Then how can i block traversing the directory (what sort
of implementation)
Referring to CodeIgnitor PHP Framework, they places index.php in every
dir. thats doesn't seem a good idea, and if a person calls the pages
providing the right path, they are able to execute files in the
framework, though since those configs and other files doesn't return
anything, tere is no result.

--
-=Ravi=-
Dec 24 '07 #1
0 1202

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

6 posts views Thread by Anthony L. | last post: by
6 posts views Thread by Damjan | last post: by
1 post views Thread by Ryan Moore | last post: by
1 post views Thread by Gregory (Grisha) Trubetskoy | last post: by
4 posts views Thread by Gaurav Agarwal | last post: by
10 posts views Thread by Vincent Delporte | last post: by
reply views Thread by Gregory (Grisha) Trubetskoy | last post: by
22 posts views Thread by teejayem | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.