Hi pcg,
I also created a bug report for this one and got a message from Massimo
that it would be fixed in a new release. A work-around I used was to
simply put the code below in the admin default.py into comment:
* #if not a_for_check.startswith(web2py_apps_root):*
* # raise HTTP(403) *
But I don't know what the final solution will be in the official fix.
Kind Regards,
David
On Sunday, February 12, 2023 at 10:21:20 PM UTC+1 pcg...@gmail.com wrote:
> Have the same issue (python 3.10) i've tried the latest web2py 2.23.1,
> and it's th same. I'm kind of lost on this one.
>
> Le lundi 9 janvier 2023 à 05:44:16 UTC-5, david....@gmail.com a écrit :
>
>> I am using python 3.9.15
>>
>> On Monday, January 9, 2023 at 11:00:22 AM UTC+1 Clemens wrote:
>>
>>> Just a guess: What python version are you using? If you're still using
>>> python 2, it could be the reason.
>>>
>>> On Monday, January 9, 2023 at 10:55:21 AM UTC+1 david....@gmail.com
>>> wrote:
>>>
>>>> Which is in turn caused by:
>>>>
>>>> *def app_pack*(app, request, raise_ex=False, filenames=None):
>>>> """Builds a w2p package for the application
>>>>
>>>> Args:
>>>> app(str): application name
>>>> request: the global request object
>>>> Returns:
>>>> filename of the w2p file or None on error
>>>>
>>>> """
>>>> try:
>>>> if filenames is None:
>>>> app_cleanup(app, request)
>>>> * filename = apath('../deposit/web2py.app.%s.w2p' % app,
>>>> request)*
>>>> w2p_pack(filename, apath(app, request), filenames=filenames)
>>>> return filename
>>>> except Exception as e:
>>>> if raise_ex:
>>>> raise
>>>> return False
>>>>
>>>> On Monday, January 9, 2023 at 10:37:57 AM UTC+1 Davidiam wrote:
>>>>
>>>>> I found where this is occurring (out of the box run, no mods):
>>>>>
>>>>>
>>>>> C:\Users\u30591\web2py_2.23.0\web2py\applications\admin\controllers\default.py:
>>>>> def safe_open(a, b):
>>>>> if (DEMO_MODE or is_gae) and ('w' in b or 'a' in b):
>>>>> class tmp:
>>>>>
>>>>> def write(self, data):
>>>>> pass
>>>>>
>>>>> def close(self):
>>>>> pass
>>>>> return tmp()
>>>>>
>>>>> a_for_check = os.path.abspath(os.path.normpath(a))
>>>>> web2py_apps_root = os.path.abspath(up(request.folder))
>>>>>
>>>>> * if not a_for_check.startswith(web2py_apps_root):*
>>>>> * raise HTTP(403) *
>>>>>
>>>>> Because:
>>>>> *web2py_apps_root* =
>>>>> 'C:\\Users\\myuser\\web2py_2.23.0\\web2py\\applications'
>>>>> *a_for_check *=
>>>>> 'C:\\Users\\myuser\\web2py_2.23.0\\web2py\\deposit\\web2py.app.403_test.w2p'
>>>>>
>>>>>
>>>>> On Thursday, January 5, 2023 at 9:54:07 AM UTC+1 Davidiam wrote:
>>>>>
>>>>>> Good Morning,
>>>>>>
>>>>>> We are using IIS 10 with web2py 2.23.0.
>>>>>>
>>>>>> When I try to pack the welcome application (or any other), using
>>>>>> pack_all I get a 403 error.
>>>>>> When I try to pack the welcome application (or any other), using
>>>>>> pack_custom, it first displays the file selector and when I click on
>>>>>> download as .w2p I get a 403 error.
>>>>>>
>>>>>> This seems to be related to the open_redirect changes. I tried
>>>>>> putting the 403 error related code from the admin\default.py controller
>>>>>> in
>>>>>> comment, but it still is giving the error.
>>>>>>
>>>>>> Kind Regards,
>>>>>> David
>>>>>>
>>>>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/web2py/821a80ba-4903-49eb-97cb-d8bf5631c32an%40googlegroups.com.
