Secure path concatenation in Python?

initbox · 2010-04-14 12:03:08

Hey,

I'm messing around with web.py (and this is a puzzling question in general as well!), and I'm trying to figure out a secure way to append "input" to a path.

Even if you use secure links in your html markup, people can obviously make custom GET's.

It's easy to use regexes in the url mapper thing to prevent it, but I'm too paranoid for that. However, it seems like a poor solution to test the input in the function itself with something like:

x = os.path.split("/the/www/"+input)[-1]
if x[:2]== ".." or x[:1]=="." or x[:1]=="-":
    ...
else:
    ... "/the/www/"+x

Plus, there could be more "keywords" that I'm forgetting here. It's easy to just use databases (and they come with their own problems...), but I've been thinking about this dilemma for ages...

One easy solution would be to use os.chroot() to root it into the www-dir, but I don't know whether web.py will function like that OR whether Python actually works after the chroot...

Of course, I'm paranoid enough to just chroot AND use regexes in the mapper AND validate the input before using it.

::edited in case of nitpickers

Last edited by initbox (2010-04-14 12:16:23)

tlvb · 2010-04-14 14:20:33

I would probably filter away anything that is not a [a-zA-Z_] or single [dot,forward slash] just to be sure

tavianator · 2010-04-14 14:39:31

Seems like there's an os.path.realpath() function that could help you out.

initbox · 2010-04-16 22:29:06

tavianator wrote:

Seems like there's an os.path.realpath() function that could help you out.

Without regex checking (or when it fails) you could still append python code if you use something like os.path.realpath("/"+input)...

I guess plain regex checking is the way to go though with this, I've been thinking about this for days and I haven't come up with anything better (I'm no pro though).

So, only allow a-z A-Z 0-9 and a single dot, then use path+input.

Last edited by initbox (2010-04-16 22:32:48)

damjan · 2010-04-16 23:09:30

What exactly do you want to do?
If you are storing and then serving any files by users you are better at hashing the input filename and storing it as such.

Also, if you have different users and you don't wan't two different users writing the files over each-others, you can also do: hash( username + input )

hash can be md5 or sha1 or any other algorithm (it doesn't even need to be a crypto hash)

Arch Linux

#1 2010-04-14 12:03:08

Secure path concatenation in Python?

#2 2010-04-14 14:20:33

Re: Secure path concatenation in Python?

#3 2010-04-14 14:39:31

Re: Secure path concatenation in Python?

#4 2010-04-16 22:29:06

Re: Secure path concatenation in Python?

#5 2010-04-16 23:09:30

Re: Secure path concatenation in Python?

Board footer