Setting up xpath_sifter.py in config.ini
Sam Ruby
rubys at intertwingly.net
Sat Oct 21 12:18:34 EST 2006
Harry Fuecks wrote:
> Following on from
> http://lists.planetplanet.org/archives/devel/2006-October/001189.html
> - (thanks for fixing)
>
> Is it possible to define the require / exclude xpath statements for
> xpath_sifter.py on a per-feed basis in config.ini, under the sectiton
> for ? It seems like they can only be defined once and are then applied
> to all feeds, but I may have misunderstood. Dealing with two seperate
> feeds now where there are multiple authors, but only want entries from
> one of them in each case.
Not at the moment, but it would be easy to add.
One thought would be to allow the filter name to be followed by a set of
name/value pairs. A familiar syntax to most is URI parameters, and that
even provides a built in syntax for escaping. In the case of xpath
expressions (which tend to use special characters), this looks a bit
odd, but workable:
filters = xpath_sifter.py?require=//atom%3Acategory%5B%40term%3D%27two%27%5D
> Also is it likely to be safe to allow the require / exclude rules to
> be defined by untrusted sources - specifically worried about shell
> command injection - it looks to me like an attempt to inject a command
> via the options - perhaps something like require: ;rm * would bubble
> through to some os.exec* function but not actually result in rm *
> being executed, rather handled as an option.
http://www.google.com/search?q=xpath+injection+attack
Initial read to my untrained eyes: I don't think the security issues
that are described here affect you.
> I'm generating the config.ini file from contents of a wiki (described
> here http://www.webtuesday.ch/wiki/planet) and trying to extend that
> so people can add xpath_sifter.py rules in the same manner - wondering
> how much input validation I need (hoping to avoid validating the xpath
> expressions themselves)
That's very cool.
It seems to me that XPATH expressions isn't very user friendly, at least
not to typical WIKI users. Another approach would be to define a simple
syntax for a simple subset of typical queries, and either generate XPATH
expressions from this, or skip XPATH entirely and pass the query
directly to a python (or perl) filter to evaluate against the entry.
> Many thanks.
- Sam Ruby
More information about the devel
mailing list