473,222 Members | 1,743 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,222 software developers and data experts.

how to protect directory traversal in mod_python based custom apps

hi :)
I was trying to develop a custom mod_python based web-site, just
today. the problem I got
though i liked the mod_python's feature of mapping and calling
functions in python script by parsing the url.
I mean, http://localhost/site/member/list?no=100

would call site/member.py page's function list with arguments no=100.
Thats a feature i liked.
But PROBLEM 01:
i have included in index.py a css link to say something media/base.css
now when same page comes with URL index.py/index the URL becomes
false. I am finding some better way to overcome this.
Placing all CSS as static served is not a good idea,(like if CSS is
dynamically generated).
So according to you, what should be a better approach to this problem.
PROBLEM 02:
How can I prevent directory traversal.
Take the case, i have five subdirs in dir 'site' named :
components
modules
config
templates

and a file loader.py

when a request comes as loader.py/pagename?renderType=xhtml
it would call the function pagename which loads the pages from subdir
'templates' resolves the added components in pages from subdir
'components' where components uses custom modules from 'modules' and
so on. Configuration subdir contains various configuration files in
..py and .xml

I don't want visitors to traverse and get list of all those subdirs.
Those sub-dirs actually should no way be traversable online.
Though I can prevent it using apache .htaccess and access directives
in apache config.

But many hosting server, apache config can't be edited (or maybe some
situation). Then how can i block traversing the directory (what sort
of implementation)
Referring to CodeIgnitor PHP Framework, they places index.php in every
dir. thats doesn't seem a good idea, and if a person calls the pages
providing the right path, they are able to execute files in the
framework, though since those configs and other files doesn't return
anything, tere is no result.

--
-=Ravi=-
Dec 24 '07 #1
0 1287

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
by: Anthony L. | last post by:
I am writing a web application that is comparable to a content management system used in blogging. I really want to use Python after having done some evaluation coding using Python 2.3.5 with...
6
by: Damjan | last post by:
Apache2 comes with builtin Web-dav support, but authorization is limited to Apache's methods, which are not very flexible. Now I've been thinking that it might be pretty easy to implement a...
1
by: Ryan Moore | last post by:
is it possible to protect a single directory within a virtual directory using that directory's web.config file (for example, the "admin" folder within a web directory)? If so, how is it done? ...
1
by: Gregory (Grisha) Trubetskoy | last post by:
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the 3.2.7 release of mod_python. Mod_python 3.2.7 is considered a stable release, suitable for production...
4
by: Gaurav Agarwal | last post by:
Hi, Am using WAMP5 and python 2.4.3. I tried to install mod_python 3.2.5 for python2.4. When i tried starting wamp, Firstly there was no error message in the apache error log. I saw error...
10
by: Vincent Delporte | last post by:
Hi I'm still a newbie when it comes to web applications, so would like some help in choosing a solution to write apps with Python: What's the difference between using running it through...
0
by: Gregory (Grisha) Trubetskoy | last post by:
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the 3.3.1 release of mod_python. Mod_python 3.3.1 is considered a stable release, suitable for production...
22
by: teejayem | last post by:
Hi, I am new to programming with databases and was wanting some help. Is there any way to password protect an access database and access sent sql commands to it via vb.net code? Any help...
0
by: VivesProcSPL | last post by:
Obviously, one of the original purposes of SQL is to make data query processing easy. The language uses many English-like terms and syntax in an effort to make it easy to learn, particularly for...
3
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
0
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
0
by: mar23 | last post by:
Here's the situation. I have a form called frmDiceInventory with subform called subfrmDice. The subform's control source is linked to a query called qryDiceInventory. I've been trying to pick up the...
0
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
2
by: jimatqsi | last post by:
The boss wants the word "CONFIDENTIAL" overlaying certain reports. He wants it large, slanted across the page, on every page, very light gray, outlined letters, not block letters. I thought Word Art...
0
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.