the files in the uploads folder should be save since they are all renamed. But what happens if the user passes e.g. '../models/db.py' as parameter? (the slashes would have to be encoded though, is this possible?) Then he would get access to the data model which would not be good at all. I'm now testing for '..' in the filename, I hope that's sufficient and there is no way to circumvent this.
On 9 Okt., 03:53, TheSweetlink <yanosh...@gmail.com> wrote: > Yes a user can by default can download() but how would the user know > the renamed filename though? I cannot say as I do not have much > detail behind your app. Depending on where you're saving what will > dictate what you should do better than any advice I can give. web2py > enables a great deal of security enhancements by default so generally > speaking you should be just fine with store() renaming your file. > > Yes, I too have found web2py to be an invaluable tool as well as this > community being one of the most helpful and nicest around. > > Best, > David > > On Oct 8, 6:48 am, Alex <mrauc...@gmail.com> wrote: > > > > > Upload should be save since its handled by web2py. But with the > > download the user possible could pass any path for the filename and > > download files also from other folders. Should I check for '..' in the > > filename? Would it be sufficient? > > > btw, the community is great here. as is web2py :) > > > Alex
