Blog‎ > ‎

Bottle.py path handling, Crypto, China & India Internet, IPsec, ZingChart

posted Nov 2, 2014, 2:25 AM by Sami Lehtinen   [ updated Nov 2, 2014, 2:26 AM ]
Bottle.py url handing

Bottle.py handles url's as real paths, even if paths do not refer to real paths at all. Is this a good or bad design? I don't know. I'm just curious why they're doing it like this.

I'm just curious why parts of URL are considered as (real) path with previous directory links. Is there any way do disable this? Or is it mandatory to use parameter for that?

Example:
request: /request
returns:  /request
but ...
request: /request/..
returns: /
request: /request/../testing
returns: /testing

Why? It also might look like or sound like potential flaw? But I assume this is intentional.

Of course /request?q=.. works by passing parameter q=.. to /request

Also using %2f instead of . interestingly enough works.

I tried Googling around and I didn't find proper answer for this particular question.

Smaller things:
  • STaT Yes, I'm Special Tools and Tactics guy. I'll do what ever needs to be done, to get the job done. Did I just come up with the term? Yeah, I did. ;)
  • Absolutely great post about how cryptography is being intentionally broken by designing bad software and recommeding insecure or badly designed standards as well as burying something which would be better. 
  • Facebook's software architecture, a good post which summarises Haystack & Memcache caching.
    KW: social graph, ACL, MySQL, Memcaache, read heavy, blob storage, caching, F4, Haystack, fault tolerant, replication, big data, erasure coding.
  • How did Feds find the Dread Pirate Roberts? This story (Schneier on Security) is interesting. There as been so much discussion about parallel construction earlier. Maybe the real inforamtion came from NSA, but as it's know, intelligence information can't be used directly. Because it would reveal what they're doing and their capabilities.
  • RunAbove presents interesting Power 8 based cloud hosting, allowing you to run 176 parallel threads on their latest cloud servers. I guess that's great for web hosting & databases. They also provide bandwidth with which costs only USD$0.01/GB.
  • China is MitM:in Apple's iCloud. Somehow this doesn't surprise me at all. It's also interesting that they're MitM:ing also Github and login.live.com (Microsoft, Hotmail, Outlook). Of course it can be used for sharing many kind of information.  As well as popular chinese browser Qihoo 360, is designed to allow MitM:ing by skipping site validation. 2 step login won't protect from situations where the logged in user cookie is being stolen using MitM.
  • India is snooping and blocking network traffic. Goes to same category as China and ehh, Finland. Nothing new. Some sites are blocked / censored and network traffic is monitored.
  • Reminded my self about HSPA+ Enchanced Cell-FACH.
  • Had even more fun with IPsec VPN tunnels, it's se unbearably bad technology, unreliable, painful to configure, maybe insecure, etc. After a few weeks of finetuning and pertmutating all possible configurations we found out configuration set, that seems to mostly work. We had to disable DPD because it seemd to be one of the sources of the problem. DPD detected underload that network is down and caused VPN to go down. When DPD is disabled everything is working. It's just so funny, how technology designed to detect problems is actually causing those. I'm just waiting to see cars which have automatic collision avoidance, and those cause more deaths by causing car to suddently change lane or break, drive off bridges and so on. Automation is just so nice master.
  • Checked fast HTML5 charting library ZingChart. Really nice, quick and light. No more hosting images or generating those on the fly using PHP or something similar legacy stuff.