[mod_python] dot dot in the url

Roger Binns rogerb at rogerbinns.com
Sat May 12 01:46:31 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Graham Dumpleton wrote:
> If your web browser doesn't normalise it 

I am sending requests from my test harness which does not do
normalization.  In my case normalization effectively "corrupts" the data.

> then Apache will. Such
> normalisation will be done before it even gets to mod_python.

req.uri is normalized but req.unparsed_uri is as originally sent by the
client, so I use that.  The only remaining problem is that if the
normalized uri doesn't reference my handler then it isn't called.

<Location /api/v1/>
 SetHandler python-program
 PythonHandler restapiv1::RestAPIV1.RequestHandler
</Location>

So I get called for /api/v1/widget/a/b/c/d/../../e but not for
/api/v1/widget/../../e/a/b/c/d

> You state want you want to happen, but why exactly do you want to do
> this in the first place? What is the underlying reason?

Exactly as I said.  It is a rest service and the names of items appear
as part of the URL.  eg You use PUT /api/v1/widget/foo to create a
widget named foo, GET to query it, DELETE to delete it etc.

But because of this normalization done by Apache before deciding which
handler to call, that imposes an arbitrary constraint on names such that
they can't have ../ sequences that get up before the /api/v1/.  The
arbitrary constraint then has to be documented, tested, have friendly
information in user interfaces etc.  It is an ugly wart and I was hoping
it was unnecessary.

Roger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGRVS3mOOfHg372QQRAulYAJ90JYiXJ+FSkQzJPNpdlTCFJFSYvgCfbzw4
1FKXPA+JqBzWAufEfSe13CA=
=ZdiB
-----END PGP SIGNATURE-----


More information about the Mod_python mailing list