Yes a user can by default can download() but how would the user know the renamed filename though? I cannot say as I do not have much detail behind your app. Depending on where you're saving what will dictate what you should do better than any advice I can give. web2py enables a great deal of security enhancements by default so generally speaking you should be just fine with store() renaming your file.
Yes, I too have found web2py to be an invaluable tool as well as this community being one of the most helpful and nicest around. Best, David On Oct 8, 6:48 am, Alex <mrauc...@gmail.com> wrote: > Upload should be save since its handled by web2py. But with the > download the user possible could pass any path for the filename and > download files also from other folders. Should I check for '..' in the > filename? Would it be sufficient? > > btw, the community is great here. as is web2py :) > > Alex >
