Django Book 翻译
菜单>:
TOC
返回
原文:
Not exactly. Yes, a maliciously crafted value of ``page`` could cause directory traversal, but although ``page`` *is* taken from the request URL, not every value will be accepted. They key is in the URLconf: were using the regular expression ``\w+`` to match the ``page`` part of the URL, and ``\w`` only accepts letters and numbers. Thus, any malicious characters (dots and slashes, here) will be rejected by the URL resolver before they reach the view itself.
翻译:
完全不是。是的,一个恶意的 ``page`` 值可以导致目录跨越,但是尽管 ``page`` *是* 从 请求的URL中获取的,并不是所有的值都被接受。这就是URL配置的关键所在:我们使用正则表达式 ``\w+`` 来从URL里匹配 ``page`` ,而 ``\w`` 只接受字符和数字。因此,任何恶意的字符 (例如在这里是点 ``.`` 和正斜线 ``/`` )将在URL解析时被拒绝,根本不会传递给视图函数。
备注:
译者: