|
Graham Dumpleton
graham.dumpleton at gmail.com
Fri May 11 21:13:58 EDT 2007
If your web browser doesn't normalise it then Apache will. Such normalisation will be done before it even gets to mod_python. You state want you want to happen, but why exactly do you want to do this in the first place? What is the underlying reason? Graham On 12/05/07, Roger Binns <rogerb at rogerbinns.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I'm using modpython to provide a rest style api. Unfortunately I am > experiencing a problem when there are ../ sequences as part of the url. > For example if the path I service is /api/book/TITLE where title is the > title, I can't find anything that allows me to process the url when dots > are there. > > An example is wanting to process /api/book/foo/../../bar > > In my code I want /api/book/ handler invoked with "foo/../../bar" to be > the title. > > Either Apache or modpython "normalizes" the url and treats the whole > thing as /api/bar. I can't seem to stop that behaviour. It happens > even if I use %2f/%2e. I have AllowEncodedSlashes on as well. > > I realize the whole thing looks like a directory traversal attack, but > it isn't and my code copes just fine when it is invoked. > > Roger > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFGRQzZmOOfHg372QQRAimpAJwI1IfNfELlfS5t/Qiak3uyQg8UEwCgtnqp > bJu01YGmVSVX3tPAmlxbnms= > =5TCw > -----END PGP SIGNATURE----- > _______________________________________________ > Mod_python mailing list > Mod_python at modpython.org > http://mailman.modpython.org/mailman/listinfo/mod_python >
|