Upload should be save since its handled by web2py. But with the download the user possible could pass any path for the filename and download files also from other folders. Should I check for '..' in the filename? Would it be sufficient?
btw, the community is great here. as is web2py :) Alex On 7 Okt., 21:39, TheSweetlink <yanosh...@gmail.com> wrote: > I'm happy the upload works for you Alex. > > > do I have to take care about directory traversals and other security > > risks? What's the easiest way to do this? > > As I understand it the store() renaming of the file is what takes care > of the dir traversal protection. > > I'm not a web2py dev so don't quote me on that. > > Perhaps you lot can confirm? > > David
