[mod_python] dot dot in the url

Graham Dumpleton graham.dumpleton at gmail.com
Sat May 12 03:16:21 EDT 2007

On 12/05/07, Roger Binns <rogerb at rogerbinns.com> wrote:
> > Note how it says that are removed as part of the resolution process.
> On Monday I'll investigate if I can prevent this happening by using a
> PythonTransHandler or possibly the header handler if they get called
> before the URI is munged.

Elimination of '..' and '.' elements in path is done before
translate_name handlers. I think the only way to do anything before
the point that the elements are eliminated in req.uri is using an
Apache quick_handler and that cannot be hooked using mod_python. But
then using a quick handler totally circumvents all the Apache phases
meaning you loose all the authentication stuff as well, thus not of
much use to you.

You can possibly rewrite req.filename in a translate_name handler with
bits from req.unparsed_uri but you would have to be sure you only do
it for your base URI which in itself may be hard to determine if it
has disappeared because of the path resolution.

BTW, how do other REST people address this problem? If it was such a
big issue I would have expected to hear other people asking similar
questions but there haven't been. Or do others simply ensure that they
put validators on data to prevent use of path elements that would
cause problems or map everything through IDs instead of using
arbitrary user input data?


More information about the Mod_python mailing list