This has been fixed and 2.24.1 released. My apologies for overlooking the issue.
On Sunday, 26 February 2023 at 05:51:30 UTC-8 [email protected] wrote: > I submitted an issue #2457 <https://github.com/web2py/web2py/issues/2457> > a month ago. Please leverage that one. > > On Monday, February 13, 2023 at 12:28:40 AM UTC-7 [email protected] > wrote: > >> Hi pcg, >> >> I also created a bug report for this one and got a message from Massimo >> that it would be fixed in a new release. A work-around I used was to >> simply put the code below in the admin default.py into comment: >> * #if not a_for_check.startswith(web2py_apps_root):* >> * # raise HTTP(403) * >> But I don't know what the final solution will be in the official fix. >> >> Kind Regards, >> David >> >> On Sunday, February 12, 2023 at 10:21:20 PM UTC+1 [email protected] wrote: >> >>> Have the same issue (python 3.10) i've tried the latest web2py 2.23.1, >>> and it's th same. I'm kind of lost on this one. >>> >>> Le lundi 9 janvier 2023 à 05:44:16 UTC-5, [email protected] a écrit : >>> >>>> I am using python 3.9.15 >>>> >>>> On Monday, January 9, 2023 at 11:00:22 AM UTC+1 Clemens wrote: >>>> >>>>> Just a guess: What python version are you using? If you're still using >>>>> python 2, it could be the reason. >>>>> >>>>> On Monday, January 9, 2023 at 10:55:21 AM UTC+1 [email protected] >>>>> wrote: >>>>> >>>>>> Which is in turn caused by: >>>>>> >>>>>> *def app_pack*(app, request, raise_ex=False, filenames=None): >>>>>> """Builds a w2p package for the application >>>>>> >>>>>> Args: >>>>>> app(str): application name >>>>>> request: the global request object >>>>>> Returns: >>>>>> filename of the w2p file or None on error >>>>>> >>>>>> """ >>>>>> try: >>>>>> if filenames is None: >>>>>> app_cleanup(app, request) >>>>>> * filename = apath('../deposit/web2py.app.%s.w2p' % app, >>>>>> request)* >>>>>> w2p_pack(filename, apath(app, request), filenames=filenames) >>>>>> return filename >>>>>> except Exception as e: >>>>>> if raise_ex: >>>>>> raise >>>>>> return False >>>>>> >>>>>> On Monday, January 9, 2023 at 10:37:57 AM UTC+1 Davidiam wrote: >>>>>> >>>>>>> I found where this is occurring (out of the box run, no mods): >>>>>>> >>>>>>> >>>>>>> C:\Users\u30591\web2py_2.23.0\web2py\applications\admin\controllers\default.py: >>>>>>> def safe_open(a, b): >>>>>>> if (DEMO_MODE or is_gae) and ('w' in b or 'a' in b): >>>>>>> class tmp: >>>>>>> >>>>>>> def write(self, data): >>>>>>> pass >>>>>>> >>>>>>> def close(self): >>>>>>> pass >>>>>>> return tmp() >>>>>>> >>>>>>> a_for_check = os.path.abspath(os.path.normpath(a)) >>>>>>> web2py_apps_root = os.path.abspath(up(request.folder)) >>>>>>> >>>>>>> * if not a_for_check.startswith(web2py_apps_root):* >>>>>>> * raise HTTP(403) * >>>>>>> >>>>>>> Because: >>>>>>> *web2py_apps_root* = >>>>>>> 'C:\\Users\\myuser\\web2py_2.23.0\\web2py\\applications' >>>>>>> *a_for_check *= >>>>>>> 'C:\\Users\\myuser\\web2py_2.23.0\\web2py\\deposit\\web2py.app.403_test.w2p' >>>>>>> >>>>>>> >>>>>>> On Thursday, January 5, 2023 at 9:54:07 AM UTC+1 Davidiam wrote: >>>>>>> >>>>>>>> Good Morning, >>>>>>>> >>>>>>>> We are using IIS 10 with web2py 2.23.0. >>>>>>>> >>>>>>>> When I try to pack the welcome application (or any other), using >>>>>>>> pack_all I get a 403 error. >>>>>>>> When I try to pack the welcome application (or any other), using >>>>>>>> pack_custom, it first displays the file selector and when I click on >>>>>>>> download as .w2p I get a 403 error. >>>>>>>> >>>>>>>> This seems to be related to the open_redirect changes. I tried >>>>>>>> putting the 403 error related code from the admin\default.py >>>>>>>> controller in >>>>>>>> comment, but it still is giving the error. >>>>>>>> >>>>>>>> Kind Regards, >>>>>>>> David >>>>>>>> >>>>>>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/21c3152c-0741-4f1e-8d68-60fd95d1c888n%40googlegroups.com.
