Thanks Anthony, I really appreciate the sanity check.
On Sat, May 10, 2014 at 1:07 PM, Anthony <abasta...@gmail.com> wrote: > Note, even when serving files from the /uploads folder via > response.download(), the links still include the web2py obfuscated filename > -- so no difference when serving from /static. > > The transformed filenames include the table and field name as well as (1) > a 16 character fragment from a UUID and (2) the original filename > transformed to Base16 encoding. These elements are used to prevent > directory traversal attacks via uploads as well as random guessing to find > files to download. Exposing the names of actual files that you are making > available to the public should not pose any problems. > > Anthony > > > On Saturday, May 10, 2014 1:20:03 PM UTC-4, Mark Graves wrote: >> >> Hey everyone, >> >> So I have a bunch of static files, managed by the database, which are not >> proprietary. They will be public content on the web site. I put them in >> the static folder so they can be served by Apache instead of streamed by >> web2py. >> >> As I developed, I put a link in to download these files, or render the >> images to the user. These links use the web2py obfuscated file name, as >> the files were put in these folders through the upload mechanism. >> >> My question is: >> >> Is there an inherent security risk in doing this? >> >> The files include the table names obviously, and the obfuscated name. >> >> Could these files be used to attack that table somehow? (obviously if my >> controllers are not secure, that's a problem, but more from just exposing >> these obfuscated names to the public) >> >> Thanks in advance! >> > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to a topic in the > Google Groups "web2py-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/web2py/svUn-EBei6k/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > web2py+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
