Dear Massimo;
Thanks a lot!
yeah may b thats why, Web2py do not like spaces in file paths.
Yeah Currently Directory Traversal attack can be done , Can easily download
any file outside of web2py root lol :D.
Yes i will fix too.
Regards,
Phyo.
On Mon, Oct 13, 2008 at 7:27 PM, mdipierro <[EMAIL PROTECTED]> wrote:
>
> I am not sure I understand. web2py does not like spaces in the URL.
> There is no way around it. It is a security measure. "%20" counts as a
> space.
>
> You can download those files by building your own method
>
> def mystatic():
> file=request.vars.path
> return
> response.stream(os.path.join(response.folder,'static',file))
>
> and link the as
>
> <a href="{{=URL(r=request,f='myststic',vars=dict(path='your
> file.html')}}'" >...</a>
>
> Mind that you still need to validate the file for directory traversal
> attacks .
>
> Massimo
>
>
>
>
>
>
> On Oct 13, 1:01 pm, "Phyo Arkar" <[EMAIL PROTECTED]> wrote:
> > Dear Massimo;
> >
> > The file browser i made is working well but there is a few problem.
> >
> > When a file have a space in file name , it fails to link them.
> >
> > here is the code and result:
> >
> > How can i get it working?
> >
> > Below are the codes :
> >
> > # session.forget() ## uncomment if you do not need sessions
> >
> > def index():
> > response.heading2='Digital Library'
> > response.flash="Welcome to Alba Digital Library!"
> > path = __dir_list__('/opt/web2py/applications/ealba/static/books')
> > #path =
> > __generate_files__('/opt/web2py/applications/ealba/static/books')
> > response.category=path
> > return dict(message='Book Categories')
> >
> > def browse_files():
> > import glob,os
> > pth = glob.glob("%s*" % request.vars.path)
> > response.flash="Download Books Here!"
> >
> > path = []
> > for f in pth:
> > path.append("%s" % os.path.basename(f))
> >
> > base = []
> > for f in pth:
> > base.append ("%s" % f.replace(os.path.basename(f),'').replace( \
> > "/opt/web2py/applications/ealba/static/books/",''))
> > response.books = [base,path]
> > response.heading2 = 'Digital Library'
> >
> > return
> >
> dict(message=request.vars.path.replace(os.path.basename(f),'').replace("/opt/web2py/applications/ealba/static/books/",''))
> >
> > def __dir_list__(path):
> > import os;
> > if os.path.exists(path):
> > dir=os.listdir(path)
> >
> > return dir
> >
> > _View_ : browse_files.html
> >
> > {{extend 'layout.html'}}
> > {{try:}}{{=H3(message)}}{{except:}}{{=BEAUTIFY(response._vars)}}{{pass}}
> > <table>
> > <tr>
> > {{i=0}}{{f=response.books}}
> > {{for i in range(0,len(response.books[0])):}}
> >
> > <td class="cat" > <a href= {{="../static/books/" +
> f[0][i]}}
> > {{=f[1][i].replace(" " ,"%20")}} > {{=f[1][i].replace(" ","%20")}} </a>
> > </td>
> > <tr></tr>
> > {{pass}}
> > </table>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py Web Framework" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
