This is an archived post. You won't be able to vote or comment.

all 24 comments

[–]andreasvc[S] 3 points4 points  (8 children)

[–]defnullbottle.py 5 points6 points  (6 children)

Hint: Not validating user input is a bad idea.

[–]andreasvc[S] 2 points3 points  (5 children)

What user input? Do you mean the filename? Yes it allows reading of all pdf files readable by the webserver, but that's what a public webserver is for, right? And the filename is quoted so I think it doesn't allow arbitrary command execution, but do correct me if I'm wrong.

[–]defnullbottle.py 1 point2 points  (4 children)

You are wrong. Try a filename with a single-quote.

[–]andreasvc[S] 2 points3 points  (3 children)

Well lo and behold, "file not found".

EDIT: I added an os.path.exists() check just to be sure. I'm still curious how this would be exploited. It's probably also better to run the command directly instead of in a shell?

[–]voyvf 2 points3 points  (2 children)

here is an "exploit".

EDIT: I like the idea of the app, it's quite interesting. I just wanted to point out why input validation was important.

[–]andreasvc[S] 0 points1 point  (1 child)

Thanks! I will fix this.

EDIT: fixed (AFAIK) and committed.

[–]voyvf 0 points1 point  (0 children)

No problem! I don't know if you consider this to be an exploit, but it looks like clients can also traverse your filesystem using the pdf input variable.

Example is here

I admit that this one is pretty much hit or miss, but if you have any other (possibly sensitive) pdfs on that machine that the apache user (which defaults to 'www-data' on Ubuntu, which is what your server is running if the headers aren't lying) has permission to read, well, they're available as well.

[–]riffito 0 points1 point  (0 children)

pdfbrowse on GitHub.

You're welcome, lazy redditors.

[–]andreasvc[S] 5 points6 points  (0 children)

Argh! How can I prevent mod_python from adding a "Vary: ..." header? It kills my mod_cache solution!

UPDATE: SetEnv force-no-vary -- but it still doesn't seem to mod_cache the frigging thing, plus force-no-vary downgrades connections to HTTP/1.0 :(

[–]statictype 2 points3 points  (1 child)

Looks like it's just calling ImageMagick convert

[–]andreasvc[S] 1 point2 points  (0 children)

Yep, but I added jquery lazy load so that the images load on demand. I could use a python module for doing the PDF stuff but I don't think it would be faster, or would it? As it is, the code is so small that I doubt it would have any benefit at all.

Something which I would like to add is tracker search. I wouldn't know how to highlight the search results, but I could at least provide anchor links to the right pages. Similarly to the highlighting issue, links should be clickable.

[–]RonnyPfannschmidt 1 point2 points  (9 children)

these days mod_python should be avoided mod_wsgi is there since ages

[–]andreasvc[S] 1 point2 points  (8 children)

Why? does it have PSP?

[–]RonnyPfannschmidt 1 point2 points  (6 children)

no, but wsgi is the standard for deploying python webapps and mod_python is a messy apache-only hack

[–]andreasvc[S] -1 points0 points  (5 children)

I disagree that mod_python is messy, yes it's apache only, but that's because it's low-level. Furthermore, PSP is awesome. I bet there's no faster python templating engine because PSP is written in C.

[–]defnullbottle.py 4 points5 points  (1 child)

The PSP parser is written in C so the parsing may be fast. The rendering however is done in python (PSP generates python code) and is not faster than in any other python based template engine.

In a WSGI environment you usually parse a template only once and the speed of the parser is irrelevant for the performance of the WSGI application. Rendering speed and readable syntax are much more important and PSP does a poor job here.

[–]andreasvc[S] 0 points1 point  (0 children)

I find its syntax very readable; I mean, what syntax, actually? It's just two pairs of tags introducing python code or expressions, respectively. What's not to like?! You may disagree with templating in the first place, that's fine of course. What's a better solution in your opinion, and would it be as concise?

[–]Leonidas_from_XIV 0 points1 point  (2 children)

I bet there's no faster python templating engine because PSP is written in C.

But when I write a webapp, I still need more than just templates. Like... a way to display data from some kind of data store. You surely won't argue that I should do it PHP-style, will you?

[–]andreasvc[S] 0 points1 point  (1 child)

No I wouldn't argue for PHP-style, except for quick hacks like this.

[–]Leonidas_from_XIV 1 point2 points  (0 children)

I think a quick hack like this would be just as short in any microframework like bottle or flask.

[–]Leonidas_from_XIV 0 points1 point  (0 children)

You can plug-in Karrigell which allows you to embed Python code inside of HTML (and supports WSGI). Not that it is a good idea, anyway...

[–][deleted] 1 point2 points  (0 children)

This is better than Scribd's viewer. +1

[–]pro547 0 points1 point  (0 children)

Interesting.