python/cgi/html bug

Discussion in 'Python' started by Dfenestr8, Jan 18, 2005.

  1. Dfenestr8

    Dfenestr8 Guest

    Hi.

    I've written a cgi messageboard script in python, for an irc chan I happen
    to frequent.

    Bear with me, it's hard for me to describe what the bug is. So I've
    divided this post into two sections: HOW MY SCRIPTS WORKS, and WHAT THE
    BUG IS.



    HOW MY SCRIPT WORKS

    Basically, it's divided into two executable scripts......

    One is the thread viewer, ppthread.py, which views threads. When someone
    posts a new topic, for instance called "Generic new topic", it creates
    a file called "Generic new topic.thread". It stores the post, and any
    subsequent posts under in the thread in that file. Nice and simple I
    figured.

    The other executable script is the topic viewer, pptopic.py. All that does
    is display the topics, by doing a "tops = os.popen('ls -c *.thread')" The
    "ls -c" part reads the threads in the order in which they've been
    modified, so the first item in the list is always the thread most recently
    posted in.

    It then creates an html link to each of the threads ... on the page the
    html looks like....

    <a href = ppthread.py?subject=foo>foo</a><br>

    WHAT THE BUG IS ....

    The problem is when someone posts a new topic, and that topic happens to
    have "" double quotes, or any other strange character, some strange
    glitches occur.

    Best way to describe is to demonstrate it is go to the forum and try
    it yourself. Try entering a topic with straight, ordindary characters, not
    that you can re enter the thread any time you want and make new posts
    under it. Then try entering a thread with new or whacky characters and see
    how far you get.

    http://funkmunch.net/~pirch/cgi-bin/alphaforum/pptopic.py

    BTW, if you want to download the script, here it is in gzipped form
    http://funkmunch.net/~pirch/pepperpot.tgz
    Dfenestr8, Jan 18, 2005
    #1
    1. Advertising

  2. Dfenestr8

    Dan Bishop Guest

    Dfenestr8 wrote:
    > Hi.
    >
    > I've written a cgi messageboard script in python, for an irc chan I

    happen
    > to frequent.
    >
    > Bear with me, it's hard for me to describe what the bug is. So I've
    > divided this post into two sections: HOW MY SCRIPTS WORKS, and WHAT

    THE
    > BUG IS.
    > ...
    > The problem is when someone posts a new topic, and that topic happens

    to
    > have "" double quotes, or any other strange character, some strange
    > glitches occur.


    Use cgi.escape(topic, True) to convert HTML special characters to the
    equivalent ampersand escape sequences.
    Dan Bishop, Jan 19, 2005
    #2
    1. Advertising

  3. Dfenestr8

    Dfenestr8 Guest

    On Tue, 18 Jan 2005 21:50:58 -0800, Dan Bishop wrote:

    >
    > Dfenestr8 wrote:
    >> Hi.
    >>
    >> I've written a cgi messageboard script in python, for an irc chan I

    > happen
    >> to frequent.
    >>
    >> Bear with me, it's hard for me to describe what the bug is. So I've
    >> divided this post into two sections: HOW MY SCRIPTS WORKS, and WHAT

    > THE
    >> BUG IS.
    >> ...
    >> The problem is when someone posts a new topic, and that topic happens

    > to
    >> have "" double quotes, or any other strange character, some strange
    >> glitches occur.

    >
    > Use cgi.escape(topic, True) to convert HTML special characters to the
    > equivalent ampersand escape sequences.


    Thanx.

    Seems to work now. :)
    Dfenestr8, Jan 19, 2005
    #3
  4. Dfenestr8

    Fuzzyman Guest

    Dfenestr8 wrote:
    > Hi.
    >
    > I've written a cgi messageboard script in python, for an irc chan I

    happen
    > to frequent.
    >


    This looks very good.
    I've been looking for a python messageboard CGI for a long time.

    If you wanted to add user accounts/login/admin etc. you could use
    'Login Tools'. This is a python module built especially to do that. It
    also provides a convenient way of saving user preferences etc.

    http://www.voidspace.org.uk/python/logintools.html

    If you want any help using it then feel free to ask.

    Regards,

    Fuzzy
    http://www.voidspace.org.uk/python/index.shtml

    > Bear with me, it's hard for me to describe what the bug is. So I've
    > divided this post into two sections: HOW MY SCRIPTS WORKS, and WHAT

    THE
    > BUG IS.
    >
    >
    >
    > HOW MY SCRIPT WORKS
    >
    > Basically, it's divided into two executable scripts......
    >
    > One is the thread viewer, ppthread.py, which views threads. When

    someone
    > posts a new topic, for instance called "Generic new topic", it

    creates
    > a file called "Generic new topic.thread". It stores the post, and any
    > subsequent posts under in the thread in that file. Nice and simple I
    > figured.
    >
    > The other executable script is the topic viewer, pptopic.py. All that

    does
    > is display the topics, by doing a "tops = os.popen('ls -c *.thread')"

    The
    > "ls -c" part reads the threads in the order in which they've been
    > modified, so the first item in the list is always the thread most

    recently
    > posted in.
    >
    > It then creates an html link to each of the threads ... on the page

    the
    > html looks like....
    >
    > <a href = ppthread.py?subject=foo>foo</a><br>
    >
    > WHAT THE BUG IS ....
    >
    > The problem is when someone posts a new topic, and that topic happens

    to
    > have "" double quotes, or any other strange character, some strange
    > glitches occur.
    >
    > Best way to describe is to demonstrate it is go to the forum and try
    > it yourself. Try entering a topic with straight, ordindary

    characters, not
    > that you can re enter the thread any time you want and make new posts
    > under it. Then try entering a thread with new or whacky characters

    and see
    > how far you get.
    >
    > http://funkmunch.net/~pirch/cgi-bin/alphaforum/pptopic.py
    >
    > BTW, if you want to download the script, here it is in gzipped form
    > http://funkmunch.net/~pirch/pepperpot.tgz
    Fuzzyman, Jan 19, 2005
    #4
  5. Dfenestr8

    Dfenestr8 Guest

    On Wed, 19 Jan 2005 04:32:04 -0800, Fuzzyman wrote:

    > This looks very good.
    > I've been looking for a python messageboard CGI for a long time.
    >


    Thanx!

    No glaring security holes that you noticed? Other than being able to hide
    things in html tags?

    > If you wanted to add user accounts/login/admin etc. you could use 'Login
    > Tools'. This is a python module built especially to do that. It also
    > provides a convenient way of saving user preferences etc.
    >
    > http://www.voidspace.org.uk/python/logintools.html
    >
    > If you want any help using it then feel free to ask.
    >
    > Regards,
    Dfenestr8, Jan 19, 2005
    #5
  6. Dfenestr8

    Paul Rubin Guest

    Dfenestr8 <> writes:
    > No glaring security holes that you noticed? Other than being able to hide
    > things in html tags?


    Looks like you can also embed arbitrary javascript (I just tried it).
    I haven't looked at the script itself yet.
    Paul Rubin, Jan 19, 2005
    #6
  7. Dfenestr8

    Dfenestr8 Guest

    On Wed, 19 Jan 2005 12:15:18 -0800, Paul Rubin wrote:

    > Dfenestr8 <> writes:
    >> No glaring security holes that you noticed? Other than being able to
    >> hide things in html tags?

    >
    > Looks like you can also embed arbitrary javascript (I just tried it). I
    > haven't looked at the script itself yet.


    fixed that.
    try doing it now......

    http://funkmunch.net/~pirch/cgi-bin/betaforum/pptopic.py
    Dfenestr8, Jan 20, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. LarsenMTL
    Replies:
    4
    Views:
    681
    Eric Walstad
    Nov 4, 2004
  2. praba kar

    Python-cgi or Perl-cgi script doubt

    praba kar, Jul 30, 2005, in forum: Python
    Replies:
    1
    Views:
    540
    Michael Sparks
    Jul 30, 2005
  3. Amir  Michail

    cgi relay for python cgi script

    Amir Michail, Oct 4, 2005, in forum: Python
    Replies:
    7
    Views:
    397
    Michael Ekstrand
    Oct 4, 2005
  4. epsilon
    Replies:
    4
    Views:
    316
    Gabriel Genellina
    Aug 22, 2007
  5. Josef 'Jupp' Schugt

    (Ab)using class CGI as non-CGI HTML generator?

    Josef 'Jupp' Schugt, Mar 5, 2005, in forum: Ruby
    Replies:
    3
    Views:
    232
    Lee Braiden
    Mar 6, 2005
Loading...

Share This Page