Home/ Questions/Q 8807851
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T02:28:12+00:00

I want to make an own static file view that returns the file defined

  • 0

I want to make an own static file view that returns the file defined in the GET request. The file must be in an extra directory. The URL must be like /e?s=NAME_OF_FILE. My problem is, hackers can use this like /e?s=/PATH/TO/DATABASE to get any file from the server. I have already a workaround, but i think there are better solutions.

My code:

path = os.path.abspath(os.path.join(script_path, filename))
if path.startswith(script_path):
    # Good
else:
    # Bad

This is for “hidden static files”, that should not be handled by the server.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    What you are doing is of not much help. Some things you could do –

    1. In the webserver turn off directory listing so that the ‘hacker’ does not get the list of all files in that directory.
    2. Instead of exposing the actual filename to outside world you could take the filename, generate a MD5 has of this filename, store this mapping somewhere in your servers and expose this MD5 as the filename. So it becomes /e?s=MD5_HASH_OF_FILENAME. What this does is make it extremely difficult for the ‘hacker’ to ‘guess’ the filename. Brute-force does not help as MD5 are not easy to guess. So in effect, only people who have been some how sent this URL will have access to it.
    3. You can expose this static file viewing API to only authenticated users rather than make it public API. You can use @login_required decorator.
    4. Finally, enable HTTPS on your webserver.
    • 0