[web2py:27544] Re: Allowable Characters in Web2Py URLS

Wed, 29 Jul 2009 08:34:35 -0700 

I mean, note the URL:

On Wed, Jul 29, 2009 at 10:33 AM, Yarko Tymciurak <yark...@gmail.com> wrote:

> Note:  
> https://code.launchpad.net/~mdipierro/web2py/devel<https://code.launchpad.net/%7Emdipierro/web2py/devel>
>
>
> On Wed, Jul 29, 2009 at 6:25 AM, mdipierro <mdipie...@cs.depaul.edu>wrote:
>
>>
>> Sorry allowing ~ is a bad idea. It may allow directory traversal
>> attacks.
>>
>> Massimo
>>
>> On Jul 29, 2:35 am, Bottiger <bottig...@gmail.com> wrote:
>> > I was going over Web2Py code, and I noticed that the allowable URLs
>> > are a bit narrow.
>> >
>> > As a reference for URL handling, I am using RFC 3986:
>> http://tools.ietf.org/html/rfc3986
>> > which is has a summary at Wikipedia here:
>> http://en.wikipedia.org/wiki/Percent-encoding
>> >
>> > The default allowable URLs are nearly equivalent to the RFC 3986
>> > unreserved characters with the exception of the tilde. I think it
>> > would be reasonable to allow for its inclusion as an argument. Another
>> > addition would be the inclusion of parenthesis which is used in some
>> > websites such as Wikipedia:
>> >
>> > http://en.wikipedia.org/wiki/Cell_(biology)<http://en.wikipedia.org/wiki/Cell_%28biology%29>
>> >
>> > Parenthesis are currently listed as "reserved characters" but so far
>> > there hasn't been any reservations for them. We might try to
>> > investigate which other characters could be allowed into Web2Py urls,
>> > but for now here is the patch that allows for tildes and parenthesis.
>> >
>> > --- C:\temp\main.py-revBASE.svn000.tmp.py       Wed Jul 29 00:23:10
>> 2009
>> > +++ C:\web2py\gluon\main.py     Wed Jul 29 00:21:10 2009
>> > @@ -89,7 +89,7 @@
>> >                   )?
>> >                   (                   # (/s)
>> >                       /(?P<s>         # /a/c/f.e/s=sub
>> > -                     ( [\w\-][\=\./]? )+
>> > +                     ( [\w\-~\(\)][\=\./]? )+
>> >                       )
>> >                   )?
>> >               )?
>> >>
>>
>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to 
web2py+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to