The url is validated. .. is not allowed in the URL.
On Oct 11, 5:01 pm, Alex <mrauc...@gmail.com> wrote: > the files in the uploads folder should be save since they are all > renamed. But what happens if the user passes e.g. '../models/db.py' as > parameter? (the slashes would have to be encoded though, is this > possible?) Then he would get access to the data model which would not > be good at all. I'm now testing for '..' in the filename, I hope > that's sufficient and there is no way to circumvent this. > > On 9 Okt., 03:53, TheSweetlink <yanosh...@gmail.com> wrote: > > > > > > > > > Yes a user can by default can download() but how would the user know > > the renamed filename though? I cannot say as I do not have much > > detail behind your app. Depending on where you're saving what will > > dictate what you should do better than any advice I can give. web2py > > enables a great deal of security enhancements by default so generally > > speaking you should be just fine with store() renaming your file. > > > Yes, I too have found web2py to be an invaluable tool as well as this > > community being one of the most helpful and nicest around. > > > Best, > > David > > > On Oct 8, 6:48 am, Alex <mrauc...@gmail.com> wrote: > > > > Upload should be save since its handled by web2py. But with the > > > download the user possible could pass any path for the filename and > > > download files also from other folders. Should I check for '..' in the > > > filename? Would it be sufficient? > > > > btw, the community is great here. as is web2py :) > > > > Alex
