On 21 Nov 2012, at 5:59 AM, Massimo Di Pierro <massimo.dipie...@gmail.com> wrote: > I will take a patch to fix this. > > On Tuesday, 20 November 2012 07:00:37 UTC-6, jc wrote: > You are correct of course, but to quote the book: > > "web2py includes two distinct URL rewrite systems: an easy-to-use > parameter-based system for most use cases, and a flexible pattern-based > system for more complex cases." > > You have to use the pattern based system to avoid the vulnerability, and I > bet most people don't. > > Anyway, thanks for your work-around. Prompted by Jonathan I will look into > using the pattern based system and remove the temporary fix. > >
I may have a solution. Try replacing this: r'([\w@ -]+[=.]?)*$' with this: r'([\w@ -]|(?<=[\w@ -])[.=])*$' You can do this by using the args_match override in routes.py. (I notice that the documented default for args_match in router.example.py is wrong; that will need to be corrected as well.) file_match probably needs a similar fix. --