I submitted an issue #2457 <https://github.com/web2py/web2py/issues/2457> a month ago. Please leverage that one.
On Monday, February 13, 2023 at 12:28:40 AM UTC-7 david....@gmail.com wrote: > Hi pcg, > > I also created a bug report for this one and got a message from Massimo > that it would be fixed in a new release. A work-around I used was to > simply put the code below in the admin default.py into comment: > * #if not a_for_check.startswith(web2py_apps_root):* > * # raise HTTP(403) * > But I don't know what the final solution will be in the official fix. > > Kind Regards, > David > > On Sunday, February 12, 2023 at 10:21:20 PM UTC+1 pcg...@gmail.com wrote: > >> Have the same issue (python 3.10) i've tried the latest web2py 2.23.1, >> and it's th same. I'm kind of lost on this one. >> >> Le lundi 9 janvier 2023 à 05:44:16 UTC-5, david....@gmail.com a écrit : >> >>> I am using python 3.9.15 >>> >>> On Monday, January 9, 2023 at 11:00:22 AM UTC+1 Clemens wrote: >>> >>>> Just a guess: What python version are you using? If you're still using >>>> python 2, it could be the reason. >>>> >>>> On Monday, January 9, 2023 at 10:55:21 AM UTC+1 david....@gmail.com >>>> wrote: >>>> >>>>> Which is in turn caused by: >>>>> >>>>> *def app_pack*(app, request, raise_ex=False, filenames=None): >>>>> """Builds a w2p package for the application >>>>> >>>>> Args: >>>>> app(str): application name >>>>> request: the global request object >>>>> Returns: >>>>> filename of the w2p file or None on error >>>>> >>>>> """ >>>>> try: >>>>> if filenames is None: >>>>> app_cleanup(app, request) >>>>> * filename = apath('../deposit/web2py.app.%s.w2p' % app, >>>>> request)* >>>>> w2p_pack(filename, apath(app, request), filenames=filenames) >>>>> return filename >>>>> except Exception as e: >>>>> if raise_ex: >>>>> raise >>>>> return False >>>>> >>>>> On Monday, January 9, 2023 at 10:37:57 AM UTC+1 Davidiam wrote: >>>>> >>>>>> I found where this is occurring (out of the box run, no mods): >>>>>> >>>>>> >>>>>> C:\Users\u30591\web2py_2.23.0\web2py\applications\admin\controllers\default.py: >>>>>> def safe_open(a, b): >>>>>> if (DEMO_MODE or is_gae) and ('w' in b or 'a' in b): >>>>>> class tmp: >>>>>> >>>>>> def write(self, data): >>>>>> pass >>>>>> >>>>>> def close(self): >>>>>> pass >>>>>> return tmp() >>>>>> >>>>>> a_for_check = os.path.abspath(os.path.normpath(a)) >>>>>> web2py_apps_root = os.path.abspath(up(request.folder)) >>>>>> >>>>>> * if not a_for_check.startswith(web2py_apps_root):* >>>>>> * raise HTTP(403) * >>>>>> >>>>>> Because: >>>>>> *web2py_apps_root* = >>>>>> 'C:\\Users\\myuser\\web2py_2.23.0\\web2py\\applications' >>>>>> *a_for_check *= >>>>>> 'C:\\Users\\myuser\\web2py_2.23.0\\web2py\\deposit\\web2py.app.403_test.w2p' >>>>>> >>>>>> >>>>>> On Thursday, January 5, 2023 at 9:54:07 AM UTC+1 Davidiam wrote: >>>>>> >>>>>>> Good Morning, >>>>>>> >>>>>>> We are using IIS 10 with web2py 2.23.0. >>>>>>> >>>>>>> When I try to pack the welcome application (or any other), using >>>>>>> pack_all I get a 403 error. >>>>>>> When I try to pack the welcome application (or any other), using >>>>>>> pack_custom, it first displays the file selector and when I click on >>>>>>> download as .w2p I get a 403 error. >>>>>>> >>>>>>> This seems to be related to the open_redirect changes. I tried >>>>>>> putting the 403 error related code from the admin\default.py controller >>>>>>> in >>>>>>> comment, but it still is giving the error. >>>>>>> >>>>>>> Kind Regards, >>>>>>> David >>>>>>> >>>>>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/787efb55-820c-469e-bdf5-33f49d606c04n%40googlegroups.com.