[mod_python] dot dot in the url

Roger Binns rogerb at rogerbinns.com
Mon May 14 14:32:09 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Colin Bean wrote:
> Have you considered base64 encoding the path data you want sent as a
> parameter?  Might make your application harder to use, but you could
> send whatever you wanted as a parameter without involving apache's url
> processing rules.

Yes, that falls under "Have some sort of escape sequence that allows them"

/./ and /../ are going to be the uncommon case so I'll either ban them
outright or think of something that only requires them to be escaped
rather than the whole string which is what base64 does.  Unfortunately
the obvious use of \ is taken since is the path separator under Windows
and it gets treated similarly to /.  Something like tilde would work
although that now makes two special cases for people have to worry about
(the /../ and tilde).

Roger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGSKspmOOfHg372QQRApYIAKCx8UaUGwwDkJKsqkK8rDNWxmU/KwCgr1T8
HlEVETadxhw9xITlWrxSys0=
=jWEQ
-----END PGP SIGNATURE-----


More information about the Mod_python mailing list