Note, even when serving files from the /uploads folder via response.download(), the links still include the web2py obfuscated filename -- so no difference when serving from /static.
The transformed filenames include the table and field name as well as (1) a 16 character fragment from a UUID and (2) the original filename transformed to Base16 encoding. These elements are used to prevent directory traversal attacks via uploads as well as random guessing to find files to download. Exposing the names of actual files that you are making available to the public should not pose any problems. Anthony On Saturday, May 10, 2014 1:20:03 PM UTC-4, Mark Graves wrote: > > Hey everyone, > > So I have a bunch of static files, managed by the database, which are not > proprietary. They will be public content on the web site. I put them in > the static folder so they can be served by Apache instead of streamed by > web2py. > > As I developed, I put a link in to download these files, or render the > images to the user. These links use the web2py obfuscated file name, as > the files were put in these folders through the upload mechanism. > > My question is: > > Is there an inherent security risk in doing this? > > The files include the table names obviously, and the obfuscated name. > > Could these files be used to attack that table somehow? (obviously if my > controllers are not secure, that's a problem, but more from just exposing > these obfuscated names to the public) > > Thanks in advance! > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
