The fix certainly works for me. And thanks, it's taken me a while to understand what Jonathan has been trying to tell me about changing the regex in routes.py. In fact it could hardly be simpler. However I think the revised regex is a much better default.
On Wednesday, 21 November 2012 16:23:54 UTC, Jonathan Lundell wrote: > > On 21 Nov 2012, at 5:59 AM, Massimo Di Pierro > <massimo....@gmail.com<javascript:>> > wrote: > > I will take a patch to fix this. > > > > On Tuesday, 20 November 2012 07:00:37 UTC-6, jc wrote: > > You are correct of course, but to quote the book: > > > > "web2py includes two distinct URL rewrite systems: an easy-to-use > parameter-based system for most use cases, and a flexible pattern-based > system for more complex cases." > > > > You have to use the pattern based system to avoid the vulnerability, and > I bet most people don't. > > > > Anyway, thanks for your work-around. Prompted by Jonathan I will look > into using the pattern based system and remove the temporary fix. > > > > > > I may have a solution. > > Try replacing this: r'([\w@ -]+[=.]?)*$' > > with this: r'([\w@ -]|(?<=[\w@ -])[.=])*$' > > You can do this by using the args_match override in routes.py. (I notice > that the documented default for args_match in router.example.py is wrong; > that will need to be corrected as well.) > > file_match probably needs a similar fix. --
