I don't see how allowing ~ is a bad idea while allowing ../ in the query string is allowed.
IE. "index?a=../../etc/passwd" This is at the level where if a tilde isn't secure, then neither should periods, which is of course a bit ridiculous. On Jul 29, 4:25 am, mdipierro <mdipie...@cs.depaul.edu> wrote: > Sorry allowing ~ is a bad idea. It may allow directory traversal > attacks. > > Massimo > > On Jul 29, 2:35 am, Bottiger <bottig...@gmail.com> wrote: > > > I was going over Web2Py code, and I noticed that the allowable URLs > > are a bit narrow. > > > As a reference for URL handling, I am using RFC > > 3986:http://tools.ietf.org/html/rfc3986 > > which is has a summary at Wikipedia > > here:http://en.wikipedia.org/wiki/Percent-encoding > > > The default allowable URLs are nearly equivalent to the RFC 3986 > > unreserved characters with the exception of the tilde. I think it > > would be reasonable to allow for its inclusion as an argument. Another > > addition would be the inclusion of parenthesis which is used in some > > websites such as Wikipedia: > > >http://en.wikipedia.org/wiki/Cell_(biology) > > > Parenthesis are currently listed as "reserved characters" but so far > > there hasn't been any reservations for them. We might try to > > investigate which other characters could be allowed into Web2Py urls, > > but for now here is the patch that allows for tildes and parenthesis. > > > --- C:\temp\main.py-revBASE.svn000.tmp.py Wed Jul 29 00:23:10 2009 > > +++ C:\web2py\gluon\main.py Wed Jul 29 00:21:10 2009 > > @@ -89,7 +89,7 @@ > > )? > > ( # (/s) > > /(?P<s> # /a/c/f.e/s=sub > > - ( [\w\-][\=\./]? )+ > > + ( [\w\-~\(\)][\=\./]? )+ > > ) > > )? > > )? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
