[mod_python] dot dot in the url

Colin Bean ccbean at gmail.com
Mon May 14 14:10:10 EDT 2007


Have you considered base64 encoding the path data you want sent as a
parameter?  Might make your application harder to use, but you could
send whatever you wanted as a parameter without involving apache's url
processing rules.

Colin


On 5/14/07, Roger Binns <rogerb at rogerbinns.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jim Gallacher wrote:
> > REST is built *on* the RFC standards and in no way violates them. RFC
> > 3986 is dated January 2005, whereas the thesis first detailing REST was
> > written in 2000.
>
> 3986 builds on several previous RFCS which do predate REST.  URIs
> existed long before REST as did standards specifying URIs.
>
> > Your URL usage does bend the rules, so don't be surprised if it ends up
> > being difficult or impossible to make it work the way you want.
>
> REST has identifiers as part of the URL.  In most examples a number is
> used because the underlying data is stored as a database and the number
> corresponds to a primary key.  However there are many examples of
> strings being used as well.  A consequence of the URI rules as done by
> Apache is that those strings cannot contain /./ or /../ or start with ./
> or ../
>
> I'm just going to have to live with that since even though my code can
> cope with them, Apache uses the processed URL for access control,
> invoking handlers etc.
>
> I'm left with two alternatives:
>
>  - Outright ban those sequences in unique identifiers
>  - Have some sort of escape sequence that allows them
>
> I really hate edge cases like this.  They make software more arbitrary
> and annoying.
>
> Roger
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFGSJ1emOOfHg372QQRAopFAJ4lSb4Ehk4pikHEmmONeROd2KHRywCg0di3
> oT1T5GjRWDUkyfsWuOcL/J0=
> =MTts
> -----END PGP SIGNATURE-----
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
>


More information about the Mod_python mailing list