[Zope-dev] (no subject)
Gregor Heine
heine@cdc-group.com
Sun, 15 Oct 2000 14:35:22 +0200
> I recently asked how to read in and render the contents of
> an external file, which doesn't work anymore using
> Zope 2.2.2 an LocalFS' xxx.read(), and You responded that
>
> > The quickest solution for you would be an external method
> > that gets the file, performs the "read" and returns the result.
>
> Now I use in an external method fsreadin a .py-module with
>
> import sys
> def readinfile (self, html):
> """Ralf Herolds way to read in local file objects."""
> file = open(html, "r")
> filecontent = file.read()
> file.close()
> return filecontent
>
> which is referenced in a DTML method by
> <dtml-var "fsreadin('/tmp/var/thewantedtext.html')">.
>
> It works, but I almost cannot believe that this is that
> simple - am I missing something, is security a concern?
>
It *is* that simple. The only problem is security. That way, you can read
*any* file that has read permission for the user, the zope process is
running on, e.g. everybody could use something like
http://your.host/fsreadin?html='/etc/passwd' to view your password file.
If you want to read files only from one directory, you could use:
import sys, os, string
def readinfile (self, file):
"""Ralf Herolds way to read in local file objects."""
file=file[max(string.rfind(id,'/'),string.rfind(id,'\\'),string.rfind(id,':'
))+1:]
path=os.path.join('/tmp','var',file)
file = open(path, "r")
filecontent = file.read()
file.close()
return filecontent
This would ensure, that only files from /tmp/var can be read.
Cheers,
Gregor!