Python Forum

hello,

are there any security concerns if i use os.path.isFile() in the context of a Flask web server? i do not want to hardcode web pages so i made an if statement to see if the provided uri matches any files inside the Flask root of templates. so, what the user will enter, will be checked by python to see if it corresponds with any files. i am very new to Python and i come from different languages so i just want to make sure if Python has any kind of not-so-obvious problems with the method i use.

thank you in advance.

I guess here is some big misunderstanding - why do you want to check if files exists in templates?

by "in templates" i mean the folder where all Jinja2 templates are stored. my method makes it so i can simply create an .html file inside the templates folder and then Flask will automatically make the correct URL available because the file itself exists. i wanted to create a similar behavior like in the old days when i could simply create an html file inside a folder and then it was instantly available without needing to alter any code.

I understand what you mean by "in templates", but what you are doing does not make much sense - e.g. creating html files on the fly... Can you show us some code and elaborate on use case/goal? i.e. the logic is the opposite - you have static template files created, then you populate content dynamically. That's why they are templates...

this is how i did it:
1. get the path from url ( /somePage for example )
2. remove html extension if present
3. then check if the corresponding jinja2 template exists ( it should be templates/pages/somePage.html
4. if it does, respond with HTTP200 and render templates/pages/somePage.html
5. if it does not exist, respond with HTTP404 and render error page template

in that way, i do not have to hardcode each page i have. if i want to add a page, i simply create an html file inside the templates/pages folder and call it whatever i want to call it. ir i call it helloworld.html, then that page will be available via /helloworld

if you still do not understand, then you are not the person i am looking for

Just for a moment, think what will happen if someone attacks with bunch of requests for non-existing pages and you create bunch of files...

(Aug-23-2020, 09:15 PM)it07 Wrote: [ -> ]if you still do not understand, then you are not the person i am looking for

You really need to find a good book or tutorial on Flask and do some serious reading. Good luck.

(Aug-23-2020, 09:15 PM)it07 Wrote: [ -> ]in that way, i do not have to hardcode each page i have. if i want to add a page, i simply create an html file inside the templates/pages folder and call it whatever i want to call it. ir i call it helloworld.html, then that page will be available via /helloworld

This could be possible, but is total nonsense.
If you follow this pattern, you've to shift the complete business logic into your templates.


If you just want to do, what Apach2 or Nginx does, then use static files.

Static files are sent unmodified, and they don't use the template engine.
Static files, which should change afterwards, can do a fetch or XHR-Request
to get additional information from a route and manipulating the DOM.
This is what the shiny frameworks like Angular are doing.

If you hate javascript, then you better use the templates.
This saves you, to write javascript, which has to fetch the information.

To be more secure, you've to use a Nginx-Reverse-Proxy.
There you can also forbid routes.

My small project uses all 3 Methods (but with FastAPI).
I've the normal static content, which is delivered by Nginx (not from Python).
My templates do have fixed routes in Nginx (which I want to change).
Then I've the on the index page some javascripts, which fetches the information
from a LiFePo4 battery and visualizes it.