Hi pcg, I also created a bug report for this one and got a message from Massimo that it would be fixed in a new release. A work-around I used was to simply put the code below in the admin default.py into comment: * #if not a_for_check.startswith(web2py_apps_root):* * # raise HTTP(403) * But I don't know what the final solution will be in the official fix.
Kind Regards, David On Sunday, February 12, 2023 at 10:21:20 PM UTC+1 pcg...@gmail.com wrote: > Have the same issue (python 3.10) i've tried the latest web2py 2.23.1, > and it's th same. I'm kind of lost on this one. > > Le lundi 9 janvier 2023 à 05:44:16 UTC-5, david....@gmail.com a écrit : > >> I am using python 3.9.15 >> >> On Monday, January 9, 2023 at 11:00:22 AM UTC+1 Clemens wrote: >> >>> Just a guess: What python version are you using? If you're still using >>> python 2, it could be the reason. >>> >>> On Monday, January 9, 2023 at 10:55:21 AM UTC+1 david....@gmail.com >>> wrote: >>> >>>> Which is in turn caused by: >>>> >>>> *def app_pack*(app, request, raise_ex=False, filenames=None): >>>> """Builds a w2p package for the application >>>> >>>> Args: >>>> app(str): application name >>>> request: the global request object >>>> Returns: >>>> filename of the w2p file or None on error >>>> >>>> """ >>>> try: >>>> if filenames is None: >>>> app_cleanup(app, request) >>>> * filename = apath('../deposit/web2py.app.%s.w2p' % app, >>>> request)* >>>> w2p_pack(filename, apath(app, request), filenames=filenames) >>>> return filename >>>> except Exception as e: >>>> if raise_ex: >>>> raise >>>> return False >>>> >>>> On Monday, January 9, 2023 at 10:37:57 AM UTC+1 Davidiam wrote: >>>> >>>>> I found where this is occurring (out of the box run, no mods): >>>>> >>>>> >>>>> C:\Users\u30591\web2py_2.23.0\web2py\applications\admin\controllers\default.py: >>>>> def safe_open(a, b): >>>>> if (DEMO_MODE or is_gae) and ('w' in b or 'a' in b): >>>>> class tmp: >>>>> >>>>> def write(self, data): >>>>> pass >>>>> >>>>> def close(self): >>>>> pass >>>>> return tmp() >>>>> >>>>> a_for_check = os.path.abspath(os.path.normpath(a)) >>>>> web2py_apps_root = os.path.abspath(up(request.folder)) >>>>> >>>>> * if not a_for_check.startswith(web2py_apps_root):* >>>>> * raise HTTP(403) * >>>>> >>>>> Because: >>>>> *web2py_apps_root* = >>>>> 'C:\\Users\\myuser\\web2py_2.23.0\\web2py\\applications' >>>>> *a_for_check *= >>>>> 'C:\\Users\\myuser\\web2py_2.23.0\\web2py\\deposit\\web2py.app.403_test.w2p' >>>>> >>>>> >>>>> On Thursday, January 5, 2023 at 9:54:07 AM UTC+1 Davidiam wrote: >>>>> >>>>>> Good Morning, >>>>>> >>>>>> We are using IIS 10 with web2py 2.23.0. >>>>>> >>>>>> When I try to pack the welcome application (or any other), using >>>>>> pack_all I get a 403 error. >>>>>> When I try to pack the welcome application (or any other), using >>>>>> pack_custom, it first displays the file selector and when I click on >>>>>> download as .w2p I get a 403 error. >>>>>> >>>>>> This seems to be related to the open_redirect changes. I tried >>>>>> putting the 403 error related code from the admin\default.py controller >>>>>> in >>>>>> comment, but it still is giving the error. >>>>>> >>>>>> Kind Regards, >>>>>> David >>>>>> >>>>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/821a80ba-4903-49eb-97cb-d8bf5631c32an%40googlegroups.com.