[mod_python] dot dot in the url

Roger Binns rogerb at rogerbinns.com
Sat May 12 02:35:14 EDT 2007

Hash: SHA1

Graham Dumpleton wrote:
> You appear to be
> wanting to side step the RFC and ignore what the standard says and
> have it interpreted your way which just seems wrong.

The standard significantly predates things like REST and comes from the
days when web servers pretty much served up a content from a filesystem
with a cgi directory stuck on the side for dynamic things.

In my case, yes I do want want the URLs left untranslated when the
prefix indicates my REST service.

> Note how it says that are removed as part of the resolution process.

On Monday I'll investigate if I can prevent this happening by using a
PythonTransHandler or possibly the header handler if they get called
before the URI is munged.

> You just seem to be going about this the wrong way. Why do you expect
> a URI that resolves to be outside of the base URI for your handler to
> still result in your handler being called? 

It doesn't map outside.  The URI is /api/v1/widget/ followed by a name
but I need to find a way to tell Apache that the name portion really is
just a string literal and any ../ sequences are not attempts at relative

> If it is important that it
> isn't, you should be generating URIs that map to outside of your base
> URI in the first place.

Technically I am not generating them.  The user of my system causes them
to occur if they ever put ../ into the names of items.  They choose the
names.  I am not a fan of humans having to adapt to the idiosyncrasies
of computers.  It should be the other way round.


Version: GnuPG v1.4.6 (GNU/Linux)


More information about the Mod_python mailing list