I submitted an issue #2457 <https://github.com/web2py/web2py/issues/2457> a
month ago. Please leverage that one.
On Monday, February 13, 2023 at 12:28:40 AM UTC-7 david....@gmail.com wrote:
> Hi pcg,
>
> I also created a bug report for this one and got a message from Massimo
> that it would be fixed in a new release. A work-around I used was to
> simply put the code below in the admin default.py into comment:
> * #if not a_for_check.startswith(web2py_apps_root):*
> * # raise HTTP(403) *
> But I don't know what the final solution will be in the official fix.
>
> Kind Regards,
> David
>
> On Sunday, February 12, 2023 at 10:21:20 PM UTC+1 pcg...@gmail.com wrote:
>
>> Have the same issue (python 3.10) i've tried the latest web2py 2.23.1,
>> and it's th same. I'm kind of lost on this one.
>>
>> Le lundi 9 janvier 2023 à 05:44:16 UTC-5, david....@gmail.com a écrit :
>>
>>> I am using python 3.9.15
>>>
>>> On Monday, January 9, 2023 at 11:00:22 AM UTC+1 Clemens wrote:
>>>
>>>> Just a guess: What python version are you using? If you're still using
>>>> python 2, it could be the reason.
>>>>
>>>> On Monday, January 9, 2023 at 10:55:21 AM UTC+1 david....@gmail.com
>>>> wrote:
>>>>
>>>>> Which is in turn caused by:
>>>>>
>>>>> *def app_pack*(app, request, raise_ex=False, filenames=None):
>>>>> """Builds a w2p package for the application
>>>>>
>>>>> Args:
>>>>> app(str): application name
>>>>> request: the global request object
>>>>> Returns:
>>>>> filename of the w2p file or None on error
>>>>>
>>>>> """
>>>>> try:
>>>>> if filenames is None:
>>>>> app_cleanup(app, request)
>>>>> * filename = apath('../deposit/web2py.app.%s.w2p' % app,
>>>>> request)*
>>>>> w2p_pack(filename, apath(app, request), filenames=filenames)
>>>>> return filename
>>>>> except Exception as e:
>>>>> if raise_ex:
>>>>> raise
>>>>> return False
>>>>>
>>>>> On Monday, January 9, 2023 at 10:37:57 AM UTC+1 Davidiam wrote:
>>>>>
>>>>>> I found where this is occurring (out of the box run, no mods):
>>>>>>
>>>>>>
>>>>>> C:\Users\u30591\web2py_2.23.0\web2py\applications\admin\controllers\default.py:
>>>>>> def safe_open(a, b):
>>>>>> if (DEMO_MODE or is_gae) and ('w' in b or 'a' in b):
>>>>>> class tmp:
>>>>>>
>>>>>> def write(self, data):
>>>>>> pass
>>>>>>
>>>>>> def close(self):
>>>>>> pass
>>>>>> return tmp()
>>>>>>
>>>>>> a_for_check = os.path.abspath(os.path.normpath(a))
>>>>>> web2py_apps_root = os.path.abspath(up(request.folder))
>>>>>>
>>>>>> * if not a_for_check.startswith(web2py_apps_root):*
>>>>>> * raise HTTP(403) *
>>>>>>
>>>>>> Because:
>>>>>> *web2py_apps_root* =
>>>>>> 'C:\\Users\\myuser\\web2py_2.23.0\\web2py\\applications'
>>>>>> *a_for_check *=
>>>>>> 'C:\\Users\\myuser\\web2py_2.23.0\\web2py\\deposit\\web2py.app.403_test.w2p'
>>>>>>
>>>>>>
>>>>>> On Thursday, January 5, 2023 at 9:54:07 AM UTC+1 Davidiam wrote:
>>>>>>
>>>>>>> Good Morning,
>>>>>>>
>>>>>>> We are using IIS 10 with web2py 2.23.0.
>>>>>>>
>>>>>>> When I try to pack the welcome application (or any other), using
>>>>>>> pack_all I get a 403 error.
>>>>>>> When I try to pack the welcome application (or any other), using
>>>>>>> pack_custom, it first displays the file selector and when I click on
>>>>>>> download as .w2p I get a 403 error.
>>>>>>>
>>>>>>> This seems to be related to the open_redirect changes. I tried
>>>>>>> putting the 403 error related code from the admin\default.py controller
>>>>>>> in
>>>>>>> comment, but it still is giving the error.
>>>>>>>
>>>>>>> Kind Regards,
>>>>>>> David
>>>>>>>
>>>>>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/web2py/787efb55-820c-469e-bdf5-33f49d606c04n%40googlegroups.com.
