The change is necessary to prevent this: http://www.owasp.org/index.php/CRLF_Injection
It is not a major concern since this only applies to the case of a value of f provided by the user. This URL(....f='open_option?id=....') should be discouraged anyway because the value of id=... should not be properly escaped. Anyway, you are right that we do not want to break existing apps. I changed it in trunk (337) to avoid the issue, while leaving the security fix in place. Thanks for bringing this up. Massimo On Dec 31, 9:06 am, Fran <francisb...@googlemail.com> wrote: > On Dec 31, 2:25 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > > > Are you calling it with > > URL(....f='open_option?id=3') > > instead of > > URL(....f='open_option',vars=dict(id=3)) > > Yes: > URL(r=request,f='open_option?id=%s'%option.id) > > I can easily change this in my app, however I wonder how many other > apps will break from having made the same error? > > F --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
