On Aug 8, 2011, at 9:23 AM, Anthony wrote: > On Monday, August 8, 2011 11:59:34 AM UTC-4, Massimo Di Pierro wrote: > because we work under the assumption that this is unsafe as args may > be used to access the filesystem (for example by the download > function). Few chacarters are allowed in the path_info > Got it. Thanks.
This is handed better (for some definition of "better") with the parametric router; character filtering is closer to the URL RFCs, and it's the responsibility of the app to do app-specific validation of args. Even without the parametric router, you'll find a copy of the raw args string in request.raw_args (or something like that), where you can reparse it if necessary, again doing your own validation.
