[albatross-users] Upgrade problems to albatross 1.10pre2

Dave Cole djc at object-craft.com.au
Wed Jul 9 23:04:38 EST 2003 

>>>>> "Andrew" == Andrew McNamara <andrewm at object-craft.com.au> writes:

>> OK, good suggestions. I have done this, and the output was as
>> follows:
>> 
>> os.getcwd() = /big/dom/xdomain/cgi-bin/qa_auth dirname = /

Andrew> Okay - this means that load_page_module has been called with
Andrew> name="/login" - this means the page name extraction code in
Andrew> RandomPageModuleMixin.load_page() is buggy. Dave will look at
Andrew> this shortly, I hope.

I have been wondering if it is possible for the application to
discover the base_url from the web server.  It certainly is using CGI,
so probably is with FastCGI too, but I am not so sure about
mod_python.  I am certain the BaseHTTPServer cannot supply enough
information.

With CGI the SCRIPT_NAME environment tells you the base_url.

Just played a bit With mod_python.  The path_info does not help me as
much as it could.  Maybe I have missed something in my Apache
configuration.  I have allowed .htaccess files by doing this:

<Directory /var/www/alsamp/>
    AllowOverride FileInfo Indexes
    Order allow,deny
    Allow from all
</Directory>

Then in the /var/www/alsamp/simple directory I have added this
.htacess file:

DirectoryIndex simple.py
SetHandler python-program
PythonHandler simple

Now the funny thing is that when I look at the Request.path_info
information there is one path element missing...

uri         /alsamp/simple/something/missing
path_info   /missing

I was sure that the 'something/' would appear in the path_info.

If there was some way to find the missing path element then there
would be no need for the base_url argument to the application
constructor.  This would allow the toolkit to be certain about the
part of the URI that corresponded to the application location, and so
it would be able to find the path to the right of that.

Andrew> Dave - we probably also need to add a check to ensure
Andrew> load_page_module is never called with an absolute path - it's
Andrew> a security problem.

I think we need to prevent any attempt to climb directories.  Didn't
you have some code for that somewhere?

- Dave

-- 
http://www.object-craft.com.au

More information about the Albatross-users mailing list