I am passing a URL as the first parameter, to a script. But it will not take the full URL if it contains an equal sign (=). For example if myscript.py contains:
site = sys.argv[1]
and I call
myscript.py https://www.google.com/#q=boxing
it stops before the equal sign and doesn't take in the full url.
site = sys.argv[1]
print(site)
output:
https://www.google.com/#q=
I know I can put the full URL in double quotes and it will get processed, but what to automate passing the parameter and not have to worry about put double quotes.
Could someone please provide some guidance. thanks.
I should have been a little more specific, I am calling my python script via a windows batch file. The (=) is a delimiter, and is taking the rest of the URL as a parameter. I was able to fix this by putting double quotes around the URL. I thought python was causing the issue, but it was the windows command prompt all along.
Related
I wrote a small service in go (although I don't think this would be a language specific issue), that caches some results by saving it to a file, and writing a URL query parameter into the filename with "prefix" + param + ".json" using ioutil.WriteFile. The service runs on Ubuntu.
Is it possible to do something malicious, by passing an unexpected string via the query?
Relevant attacks that come to mind are called path injection. For example what if the query parameter is something like ../../etc/passwd (okthis would probably not work as the user running this service would have no permissions, but you get the point). For example it could be possible to overwrite your service code itself.
You should sanitize the parameter before adding it to the filename. The best would be a strict whitelist of letters and numbers that are allowed, anything else should ve removed from the parameter. That way injection would not be possible.
You can also check whether the path you are writing to is actually under an explicitly allowed directory.
I will make a test in python, here is the struct of the project
app1/main.py
while True:
a = input() # passing query
with open("{}.json".format(a), "w") as f:
f.write("Hello world")
now i am a hacker, and i want to change "yourfile.json"
so i passed this
and than, the content of yourfile.json become: Hello world
I can think of workarounds on how to get this working however I'm interested in finding out if there's a solution to this specific problem.
I've got a go program which requires a json string arguement:
go run main.go "{ \"field\" : \"value\" }"
No problems so far. However, am I able to run from the command line if one of the json values is another json string?
go run main.go "{ \"json-string\" : \"{\"nestedfield\" : \"nestedvalue\"}\" }"
It would seem that adding escape characters incorrectly matches up the opening and closing quotes. Am I minuderstanding how this is done or is it (and this is the side I'm coming down on) simply not possible?
To reiterate, this is a question that has piqued my curiosity - I'm aware of alternative approaches - I'm hoping for input related to this specific problem.
Why don't you just put your json config to the file and provide config file name to your application using flag package
Based on the feedback from wiredeye I went down the argument route instead. I've modified the program to run on:
go run main.go field:value field2:value json-string:"{\"nestedfield\":nestedvalue}"
I can then iterate over the os.Args and get the nested json within my program. I'm not using flags directly as I don't know the amount of inputs into the program which would have required me to use duplicate flags (not supported) or parse the flag to a collection (doesn't seem to be supported).
Thanks wiredeye
What I'm trying to do for a PoC and is to add a href to web pages coming from a dynamic backend server. Adding the href is easy using "subs_filter", but I need to use information embedded within the response to construct the href.
Is it possible to use LUA to process the response from proxy_pass, modify it and return to requester (client)?
Any and all suggestions welcome.
Below is the code I'm looking at, now I understand Lua better and how nginx uses it I see that 'body_filter' is the correct way to. However the code seems simple enough but i can't get the regex to work.
Further background, I'm trying to parse the returned proxy_pass response, parse it for a start and end time, then construct a JS script url placed into the head.
Example response that I want to regex against.
Informações Adicionais
Horário de início: 08H50
Horário de término: 09H14
The code from within the 'location {}'
body_filter_by_lua '
-- my regex which is validate but doesn't seem to be within LUAJIT
--local from, to, err = ngx.re.find(ngx.arg[1], "(.início: *\d{2}H\d{2})", "jo")
local from, to, err = ngx.re.find(ngx.arg[1], "início", "jo")
replacestr = string.sub(ngx.arg[1], to, 5)
replaceme = "<script></script></head>"
ngx.arg[1] = ngx.re.sub(ngx.arg[1],"</head>", replaceme)
';
Changing "início" to "head" for example works, so I'm assuming it is the accented char but I'm unable to find confirmation of this.
Changing "início" to "\d{2}H\d{2}" fails, with "body_filter_by_lua:5: invalid escape sequence near '"'"
I discovered what I mentioned in the comments regarding 'nix.header.content_length' and importantly nginx and lua require double escaping see: lua-nginx-module special pcre sequences for more details.
The accented chars needed the flag 'u' adding to 'jo' of the 'ngx.re.find'
user "body_filter_by_lua_file"
Equivalent to body_filter_by_lua, except that the file specified by contains the Lua code, or, as from the v0.5.0rc32 release, the Lua/LuaJIT bytecode to be executed.
When a relative path like foo/bar.lua is given, they will be turned into the absolute path relative to the server prefix path determined by the -p PATH command-line option while starting the Nginx server.
This directive was first introduced in the v0.5.0rc32 release.
I am integrating with a system that creates part of a URL and I supply part of the URL.
I supply this:
http://myServer/gis/default.aspx?MAP_NAME=myMap
The system supplies this:
?type=mrolls&rolls='123','456'
(the "rolls" change depending on what the user chooses in the system)
so, my URL ends up looking like this:
http://myServer/gis/default.aspx?MAP_NAME=myMap?type=mrolls&rolls='123','456'
I need to get the rolls but when I try this in VB.Net:
Dim URL_ROLL As String = Request.QueryString("rolls")
I get an incorrect syntax error.
I think it's a combination of the 2nd question mark and the single quotes.
When the system is only passing one roll, it works, I can get the rolls from the URL
which looks like this:
http://myServer/gis/default.aspx?MAP_NAME=myMap?type=roll&roll=123
I asked them to change the format of the system's URL but they can't change it without affecting the rest of their users.
Can anyone give me some ideas on how to get the rolls from the URL with single quotes?
OK, I believe I've fixed my problem.
I used a regular expression to remove anything in the querystring that wasn't a number or a comma.
Thanks again for taking time to make your comments, it made me look at the problem from a different angle.
I've created an API for use on my website.
The API I made strips everything using mysql_real_escape_string then puts it into the database.
But the problem I'm having is the URL that my php scripts are using to access the API is cut short sometimes...
Which I have narrowed down to one of the parameters...
When its Ford Mondeo 22' the URL that is passed to simplexml_load_file is
http://mydomain.com/api/create.xml?api_number=brho15p6z1dhqwf5tsff&env=live&number=AJ20023232&title=Ford Mondeo 22'&image=http://mydomain.com/wp-content/uploads/2012/10/914955-150x150.jpg
but the API reports back the URL accessed as
http://mydomain.com/api/create.xml?api_number=brho15p6z1dhqwf5tsff&env=live&number=AJ20023232&title=Ford
If I remove the single quote then everything works fine, any idea how to correct this I suspect there's something I've overlooked when passing variables in the URL
It is the spaces in the "Ford Mondeo 22'" value that is causing the problem. You cannot have a spaces in the URL. You need to use escape characters. The encoded version of the parameter should be
Ford%20Mondeo%2022'
%20 is the escape character for space
I.e. the whole URL should read as follows:
http://mydomain.com/api/create.xml?api_number=brho15p6z1dhqwf5tsff&env=live&number=AJ20023232&title=Ford%20Mondeo%2022'&image=http://mydomain.com/wp-content/uploads/2012/10/914955-150x150.jpg
EDIT:
Your comment indicates that you use PHP. In PHP, you can use urlencode($foo) and urldecode($foo) to switch between the normal string and the encoding string.