Question about virginia

32 views
Skip to first unread message

Georges Dubus

unread,
Mar 1, 2011, 5:32:35 AM3/1/11
to pylons-devel
Hi there

I was looking at the virginia sample application, and I have a few
question :

- What mechanism protects the application from viewing the /../ dir ?
I know the open method from Filesystem check the path before opening a
file, but that doesn't explain that when going to the url http://localhost:6543/../
, I am redirect to http://localhost:6543/../ .

- Is there a reason so much interfaces are used ? IFilesystem is never
referenced outside of Filesystem, and IStructuredText isn't even
implemented.

Thank for helping me understand that.


Cheers,

Georges

Tres Seaver

unread,
Mar 1, 2011, 5:00:47 PM3/1/11
to pylons...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/01/2011 05:32 AM, Georges Dubus wrote:
> Hi there
>
> I was looking at the virginia sample application, and I have a few
> question :
>
> - What mechanism protects the application from viewing the /../ dir ?
> I know the open method from Filesystem check the path before opening a
> file, but that doesn't explain that when going to the url http://localhost:6543/../
> , I am redirect to http://localhost:6543/../ .

I'm afraid the example doesn't defend against relative '..' at all.

> - Is there a reason so much interfaces are used ? IFilesystem is never
> referenced outside of Filesystem, and IStructuredText isn't even
> implemented.
>
> Thank for helping me understand that.

The pattern of registering views and adapters against interfaces, rather
than directly against classes, goes back to our Zope-ish roots. I think
some of those interfaces are actually left over from the time when Chris
re-wrote 'repoze.kiss' to function as a BFG-based application: in
'repoze.kiss', there were real views registered for all the interfaces.


Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tse...@palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1tbI4ACgkQ+gerLs4ltQ6ZLQCgvorjihl46I9qN6owboTb20vw
mxcAnRAwA3sD0BkDVWTHUixH4puvKNpY
=VutI
-----END PGP SIGNATURE-----

Georges Dubus

unread,
Mar 2, 2011, 5:21:55 AM3/2/11
to pylons-devel


On 1 mar, 23:00, Tres Seaver <tsea...@palladion.com> wrote:
>
> I'm afraid the example doesn't defend against relative '..' at all.
>

That's what I would have thought, but http://localhost:6543/../
redirects to http://localhost:6543/ (sorry, typo in the previous
message). I thought this had something to do with virginia, but it
seems that the ".." is interpreted earlier in the framework. I fact,
it looks like it's the expected behaviour for an url ( just try :
http://groups.google.com/group/pylons-devel/../../.. )

>
> The pattern of registering views and adapters against interfaces, rather
> than directly against classes, goes back to our Zope-ish roots.  I think
> some of those interfaces are actually left over from the time when Chris
> re-wrote 'repoze.kiss' to function as a BFG-based application:  in
> 'repoze.kiss', there were real views registered for all the interfaces.
>
Historical reasons ? That's what I thought. But, as it's used as an
example application, wouldn't it be less confusing for newcomers to
"clean" the application from the bits that aren't useful any more, in
order to get a minimal working example ? If that's a good, idea, I
volonteer.

Georges

Chris McDonough

unread,
Mar 2, 2011, 12:36:03 PM3/2/11
to pylons...@googlegroups.com
On Wed, 2011-03-02 at 02:21 -0800, Georges Dubus wrote:
>
> On 1 mar, 23:00, Tres Seaver <tsea...@palladion.com> wrote:
> >
> > I'm afraid the example doesn't defend against relative '..' at all.
> >
>
> That's what I would have thought, but http://localhost:6543/../
> redirects to http://localhost:6543/ (sorry, typo in the previous
> message). I thought this had something to do with virginia, but it
> seems that the ".." is interpreted earlier in the framework. I fact,
> it looks like it's the expected behaviour for an url ( just try :
> http://groups.google.com/group/pylons-devel/../../.. )

In a traversal-based application, Pyramid recomputes all '..' segments
from the path at ingress, computing a traversal path before the
application ever sees it.

> >
> > The pattern of registering views and adapters against interfaces, rather
> > than directly against classes, goes back to our Zope-ish roots. I think
> > some of those interfaces are actually left over from the time when Chris
> > re-wrote 'repoze.kiss' to function as a BFG-based application: in
> > 'repoze.kiss', there were real views registered for all the interfaces.
> >
> Historical reasons ? That's what I thought. But, as it's used as an
> example application, wouldn't it be less confusing for newcomers to
> "clean" the application from the bits that aren't useful any more, in
> order to get a minimal working example ? If that's a good, idea, I
> volonteer.

That'd be fine by me, if you can work up a pull request.

- C


Reply all
Reply to author
Forward
0 new messages