Михаил Лукин wrote: > Well, I don't know what is under scarico/(\d+)/ - single file or a directory > tree. > > In case of directory tree ".+" seems to be the best way, which is also > documented at > http://docs.djangoproject.com/en/dev/howto/static-files/ > > In case of single file "[^/]+" instead of ".+" can be used. I think there > could be not only space in filename. More complex validation based on other > criteria like file existence should be made in a view.
If the server is *nix-like, this may be okay, but this can produce weird things like scarico/123/%01%02%03%04%05%00/ where you get file names/paths with control-characters in them. On Win32, you can get even weirder behaviors with file-streams/resource-forks [1], invalid UTF-16 characters, and prohibited filename characters such as scarico/123/hello%3afork/ scarico/123/hello%3fworld/ Better to white-list the characters you do want in favor of allowing potentially devious characters. -tim [1] http://en.wikipedia.org/wiki/NTFS#Alternate_data_streams_.28ADS.29 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
