On Oct 25, 2011, at 11:57 AM, Pawel Jasinski <pawel.jasin...@gmail.com> wrote:
> hi, > >> of directory traversal attacks (~ specifically). > how exactly? > > I am talking about arguments and only arguments. > I agree that ~ in case of application/controller/method makes no sense > In case of static agree 100%, but that is different control path. If you enable the parametric router, you'll get the kind of args handling you want, with the added feature that you can rewrite the args validation regex. > > The arguments are just that, arguments. If you put such a blanket > statement about arguments in url, should you also do it for forms? At > the end these are also arguments and someone may take it 1:1 and feed > into 'open'. > It is up to the controller to decide what to do with args. I believe > nobody takes anything what comes from browser (args or form elements) > and try to use it as argument of the 'open'. In case of web2py, DAL > delivers already a perfect mechanism to take whatever comes and > convert into reasonable name: > filename=db.table.field.store(content,whatever_convoluted_name_we_get). > > > To be specific about the args filtering: > > agrs must match: > regex_args = re.compile(r''' > (^ > (?P<s> > ( [\w@/-][=.]? )* # s=args > )? > /?$) # trailing slash > ''', re.X) > > what I suggest is: > regex_args = re.compile(r''' > (^ > (?P<s> > ( [~\w@/-][=.]? )* # s=args > )? > /?$) # trailing slash > ''', re.X|re.U) > > > > Cheers, > Pawel
