Setting " response.headers['Content-Disposition'] = 'attachment; filename=%s' % request.vars.filename # to force download as attachment "
Did indeed get the 'Do you want to open or save' dialog to use request.vars.filename instead of request.args(0) And now for instance "harold's bossa.mp3" works fine. So I really appreciate your input. These things are very difficult to sort out without the help of more exprienced people such as yourself. Thanks Peter On Aug 17, 8:53 pm, peter <peterchutchin...@gmail.com> wrote: > Next time I need to hire a hacker, I will ask you. Seriously though it > is very useful being informed of vulnerabilities like this. I am a > very experienced programmer but new to web design, so this is all > valuable to understand. > > Thanks > Peter > > On Aug 16, 2:50 pm, Anthony <abasta...@gmail.com> wrote: > > > > > On Tuesday, August 16, 2011 9:41:17 AM UTC-4, peter wrote: > > > > The URL I gave in the example happens behind the scenes, so it does > > > not get displayed to the user. > > > That's good, but note that an attacker could look at your HTML/Javascript > > source code or watch the outgoing requests from your application, observe > > the structure of your URLs, and still put together a directory traversal > > attack, so be careful. > > > Anthony- Hide quoted text - > > - Show quoted text -
