stackoom
  简体   繁体   中英

How to prevent directory traversal attack from Python code

 原文  2017-07-19 11:05:59       python/ directory-traversal

Question

I need to prevent from directory traversal attack from my code using Python. My code is below: 

if request.GET.get('param') is not None and request.GET.get('param') != '':
    param = request.GET.get('param')
    startdir = os.path.abspath(os.curdir)
    requested_path = os.path.relpath(param, startdir)
    requested_path = os.path.abspath(requested_path)
    print(requested_path)
    tfile = open(requested_path, 'rb')
    return HttpResponse(content=tfile, content_type="text/plain")

Here I need user is running like http://127.0.0.1:8000/createfile/?param=../../../../../../../../etc/passwd this it should prevent the directory traversal attack.

2 answers

solution1
 5 ACCPTED  2017-07-19 11:13:53

Suppose the user content is all located in 

safe_dir = '/home/saya/server/content'

You need to verify the final request is in there: 

if os.path.commonprefix((os.path.realpath(requested_path),safe_dir)) != safe_dir: 
    #Bad user!

I encourage you to make sure all stuff you want accessible by the user in one place.

solution2
 1  2017-07-19 12:09:27

you could try the methods of pathlib.Path 

Path(root_dir).joinpath(param).resolve().relative_to(root_dir.resolve())

should return the relative path starting from the root_dir , or raise an ValueError if a directory traversal attack is tried

testing 

param = 'test_file'
Path(root_dir).joinpath(param).relative_to(root_dir)

WindowsPath('test_file') 

param = 'test_file/nested'
Path(root_dir).joinpath(param).relative_to(root_dir)

WindowsPath('test_file/nested') 

param = 'non_existing/../../data'
Path(root_dir).joinpath(param).resolve().relative_to(root_dir.resolve())

 --------------------------------------------------------------------------- ValueError Traceback (most recent call last) <ipython-input-26-a74379fe1817> in <module>() .... ValueError: 'C:\\\\python_scripts\\\\PyCharmProjects\\\\data' does not start with 'C:\\\\python_scripts\\\\PyCharmProjects\\\\testproject' 
param = 'non_existing/../nested'
Path(root_dir).joinpath(param).resolve().relative_to(root_dir.resolve())

WindowsPath('nested')

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Does my code prevent directory traversal? How to prevent “billion laughs” DoS attack in Python's xlrd? How to prevent injection attack in CREATE query in python mysql How do PyMySQL prevent user from sql injection attack? python directory recursive traversal program How to prevent Python from search the current working directory for modules? How to check for pipes in directory traversal? postorder traversal how do this code reach the print line - Python Prevent Python relative import from current directory How to prevent VSCode from exiting Python environment after running code?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM