[mod_python] dot dot in the url

Roger Binns rogerb at rogerbinns.com
Fri May 11 20:39:53 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm using modpython to provide a rest style api.  Unfortunately I am
experiencing a problem when there are ../ sequences as part of the url.
 For example if the path I service is /api/book/TITLE where title is the
title, I can't find anything that allows me to process the url when dots
are there.

An example is wanting to process /api/book/foo/../../bar

In my code I want /api/book/ handler invoked with "foo/../../bar" to be
the title.

Either Apache or modpython "normalizes" the url and treats the whole
thing as /api/bar.  I can't seem to stop that behaviour.  It happens
even if I use %2f/%2e.  I have AllowEncodedSlashes on as well.

I realize the whole thing looks like a directory traversal attack, but
it isn't and my code copes just fine when it is invoked.

Roger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGRQzZmOOfHg372QQRAimpAJwI1IfNfELlfS5t/Qiak3uyQg8UEwCgtnqp
bJu01YGmVSVX3tPAmlxbnms=
=5TCw
-----END PGP SIGNATURE-----

More information about the Mod_python mailing list