|
Graham Dumpleton
graham.dumpleton at gmail.com
Sat May 12 03:16:21 EDT 2007
On 12/05/07, Roger Binns <rogerb at rogerbinns.com> wrote: > > Note how it says that are removed as part of the resolution process. > > On Monday I'll investigate if I can prevent this happening by using a > PythonTransHandler or possibly the header handler if they get called > before the URI is munged. Elimination of '..' and '.' elements in path is done before translate_name handlers. I think the only way to do anything before the point that the elements are eliminated in req.uri is using an Apache quick_handler and that cannot be hooked using mod_python. But then using a quick handler totally circumvents all the Apache phases meaning you loose all the authentication stuff as well, thus not of much use to you. You can possibly rewrite req.filename in a translate_name handler with bits from req.unparsed_uri but you would have to be sure you only do it for your base URI which in itself may be hard to determine if it has disappeared because of the path resolution. BTW, how do other REST people address this problem? If it was such a big issue I would have expected to hear other people asking similar questions but there haven't been. Or do others simply ensure that they put validators on data to prevent use of path elements that would cause problems or map everything through IDs instead of using arbitrary user input data? Graham
|