[mod_python] dot dot in the url

Graham Dumpleton graham.dumpleton at gmail.com
Fri May 11 21:13:58 EDT 2007

If your web browser doesn't normalise it then Apache will. Such
normalisation will be done before it even gets to mod_python.

You state want you want to happen, but why exactly do you want to do
this in the first place? What is the underlying reason?


On 12/05/07, Roger Binns <rogerb at rogerbinns.com> wrote:
> Hash: SHA1
> I'm using modpython to provide a rest style api.  Unfortunately I am
> experiencing a problem when there are ../ sequences as part of the url.
>  For example if the path I service is /api/book/TITLE where title is the
> title, I can't find anything that allows me to process the url when dots
> are there.
> An example is wanting to process /api/book/foo/../../bar
> In my code I want /api/book/ handler invoked with "foo/../../bar" to be
> the title.
> Either Apache or modpython "normalizes" the url and treats the whole
> thing as /api/bar.  I can't seem to stop that behaviour.  It happens
> even if I use %2f/%2e.  I have AllowEncodedSlashes on as well.
> I realize the whole thing looks like a directory traversal attack, but
> it isn't and my code copes just fine when it is invoked.
> Roger
> Version: GnuPG v1.4.6 (GNU/Linux)
> iD8DBQFGRQzZmOOfHg372QQRAimpAJwI1IfNfELlfS5t/Qiak3uyQg8UEwCgtnqp
> bJu01YGmVSVX3tPAmlxbnms=
> =5TCw
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python

More information about the Mod_python mailing list