Thanks Kyle. What I have to say below may be heresy...
In light of the silence on this subject, I've decided that web2py's URL validation (for the purposes of mapping URLs to applications/controllers/functions) oversteps its bounds and over-zealously restricts (at least for my own purposes). I've come to the opinion that web2py should only validate the portions of the URL that it needs to parse in order to run the appropriate function and pass the appropriate args. All other input sanitization should be left to the relevant application functions. Regarding RFC1738, as I mentioned below, this is meaningless because the wsgiserver already unquotes the path before it passes it on to web2py. In the practical sense, this means that web2py should only validate the first three elements of the path and leave the rest to the application. This also leaves an implementation problem with regular expressions, but that's another story. Opinions? Thoughts? Tomatoes? Kyle Smith wrote: > You are absolutely correct that it's not the same discussion. I was > just trying to point you to previous conversation about url validation > in general since it is a similar topic. > > Kyle > > On Wed, Oct 22, 2008 at 1:50 PM, Timothy Farrell <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Thanks for your input, but this is not about the IS_URL > validator. This is about web2py utterly rejecting any request > that has and apostrophe (or other RFC-valid punctuation) in the > middle of the path. > > -tim > > > Kyle Smith wrote: >> A similar discussion happened shortly after I started using >> web2py. If you read through this thread you can see the >> discussion that Massimo and I had on the topic. You probably want >> to jump down to around message 13 in the thread. >> >> >> http://groups.google.com/group/web2py/browse_frm/thread/414723e11c9f95b9?tvc=1&q=IS_URL >> >> <http://groups.google.com/group/web2py/browse_frm/thread/414723e11c9f95b9?tvc=1&q=IS_URL> >> >> I currently use my own validator (also not completely RFC1738 >> compliant) for parsing urls instead of the built in IS_URL. >> >> Kyle >> >> On Wed, Oct 22, 2008 at 1:21 PM, Timothy Farrell >> <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: >> >> Ugh, I have an issue. >> >> It has come to my attention that the URL validation does not >> conform to RFC1738 (section 2.2 is the most relevant). This >> is fine for the schema://host/application/controller/function >> part of the URL, but it causes problems in such circumstances >> that I ran into today. Here are the details: >> >> I made a PDF file pass-through that I access like : >> /init/default/pdfpass/dir/PDF_FILENAME.pdf >> >> I ran into the problem of sometimes a request comes in that >> looks like: /init/default/pdfpass/dir/PDF'FILENAME.pdf >> (notice the apostrophe) >> >> This doesn't play well with the URL validation regexp from >> main.py line 39. I would like to be able to use normal URL >> characters in my function arguments. >> >> For those with not enough time/patience to read an RFC, >> normal path characters are: letters, numbers, and *$ - _ . + >> ! * ' ( ) ,* This does not include the special URL path >> characters: */ @ ? : = & ;* >> >> Thoughts? Can we include these characters without >> compromising security? >> >> >> >> >> >> > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
begin:vcard fn:Timothy Farrell n:Farrell;Timothy org:Statewide General Insurance Agency;IT adr:;;4501 East 31st Street;Tulsa;OK;74135;US email;internet:[EMAIL PROTECTED] title:Computer Guy tel;work:(918)492-1446 url:www.swgen.com version:2.1 end:vcard
