stackoom
  简体   繁体   中英

Prevent direct file access to server files in tornado

 原文  2017-09-25 02:33:44       python/ tornado

Question

I'm using python with tornado webserver. the application works fine but I can't find a way to prevent the user on accessing server files directly via url. for example I have the following files in the server:

program.py
index.html
main.html

i wanted to prevent the user from accessing the above server files directly via web url
ex: localhost:8080/program.py or /index.html

i only wanted them to access localhost:8080/ or /home

Thanks in advance 

from ws4py.client.tornadoclient import TornadoWebSocketClient
import tornado.ioloop
import tornado.web
import tornado.websocket
import tornado.template

SETTING_CLIENT_LISTEN_PORT = 8080
class MainHandler(tornado.web.RequestHandler):

    def get(self):
        try:
            loader = tornado.template.Loader(".")
            self.write(loader.load("index.html").generate())
        except Exception as e:
            print("exception occured", e)

class CWSHandler(tornado.websocket.WebSocketHandler):
    global  waiters

    def open(self):
        print('###FUNCTION CWSHandler.open(self) start')

    def on_close(self):
        print('###FUNCTION CWSHandler.open(self) close')

    def on_message(self, message):
        print('###FUNCTION CWSHandler.on_message msg:', message)

settings = {
    "cookie_secret": "bZJc2sWbQLKos6GkHn/VB9oXwQt8S0R0kRvJ5/xJ89E=",
    "login_url": "/",
}

application = tornado.web.Application(handlers=[
    (r'/', MainHandler),    
    (r'/cws', CWSHandler),


    (r"/(.*)", tornado.web.StaticFileHandler,{'path':'./'})
    ], cookie_secret="bZJc2sWbQLKos6GkHn/VB9oXwQt8S0R0kRvJ5/xJ89E=")

if __name__ == "__main__":
    server = tornado.httpserver.HTTPServer(application)
    server.listen(SETTING_CLIENT_LISTEN_PORT)

    try:
        tornado.ioloop.IOLoop.instance().start()
        server.stop()
    except KeyboardInterrupt:
        print("Keyboard interupt")
        pass
    finally:
        server.stop()
        tornado.ioloop.IOLoop.instance().stop()

1 answers

solution1
 2 ACCPTED  2017-09-25 10:37:19

The problem is with your urls, specifically: 

(r"/(.*)", tornado.web.StaticFileHandler,{'path':'./'})

You have mapped r'/(.*)' to {'path': './'} , which is your project directory. So, if a request comes in like localhost:8080/program.py , it will be matched with this - /(.*) and tornado will then look for a file named program.py in your project directory. If it finds it there, it will serve that file.

You should keep all your static files in a separate directory called static (you can name it anything you want, though) inside your project dir. Then map this directory with the desired url.

Example: 

(r"/(.*)", tornado.web.StaticFileHandler,{'path': 'static'})

Or better yet, serve that directory under a /static/ url instead of - .* . 

(r"/static/(.*)", tornado.web.StaticFileHandler,{'path': 'static'})

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Prevent direct access to media files in Django restrict access to certain files, folders in python tornado web server Can I use Django to prevent direct access to an image file? How to prevent direct access to cert files when connecting MQTT client with Python Upload multiple files with Tornado Web Server and Nginx How to access external css file linked to html which is used in tornado web server? Downloading a file served by a tornado web server asynchronous file upload with ajaxupload to a tornado web server Methods on linking a HTML Tornado server and Python file Restrict execution of Python files only to server (prevent access from browser)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM