Re: [Quixote-users] Module to map filesystem files into Quixote, revision 3

Module to map filesystem files into Quixote, revision 3

2002-10-08

Module to map filesystem files into Quixote, revision 3

Andrew Kuchling

2002-10-08

>            print >>out, "%s" % request.environ['REQUEST_URI']

Cross-site scripting hole: html_quote() is needed for REQUEST_URI.

>            template = '%s%s'
      ...
>                print >>out, template % (urllib.quote(filename), filename,

Again, this should use html_quote(filename).

>        # Execute the compiled CGI script and collect its output as a MIME
>        # message (but parse only the headers).
>        exec code
>        parser = email.Parser.HeaderParser()
>        mime_message = parser.parsestr(sys.stdout.getvalue())

If the 'exec' raises an exception, the context (stdin, stdout, etc.)
won't be restored.  The exec probably needs to be wrapped in a
try...finally statement.

The file code will follow symlinks.  That's OK with me, but maybe
that should be a selectable option.

With those changes, the code looks fine to me.

--amk                                                             (www.amk.ca)
Shoes: gloves for the feet.
    -- Peter Greenaway, _Rosa: The Death of a Composer_