Django Book 翻译
菜单>:
TOC
返回
原文:
Though it looks like that view restricts file access to files beneath ``BASE_PATH`` (by using ``os.path.join`` ), if the attacker passes in a ``filename`` containing ``..`` (thats two periods, a shorthand for the parent directory), she can access files above ``BASE_PATH`` . Its only a matter of time before she can discover the correct number of dots to successfully access, say, ``../../../../../etc/passwd`` .
翻译:
尽管一眼看上去,视图通过 ``BASE_PATH`` (通过使用 ``os.path.join`` )限制了对于文件的访问,但如果攻击者使用了包含 ``..`` (两个句号,父目录的一种简写形式)的文件名,她就能够访问到 ``BASE_PATH`` 目录结构以上的文件。要获取权限,只是一个时间上的问题( ``../../../../../etc/passwd`` )。
备注:
译者: