I do not know what users do with their args variables. They may be using them to open files or calling functions, etc. I think it is safe to make sure there are only \w+ in there. If you need to pass arbitrary values use vars.
Massimo On May 4, 9:28 am, Álvaro Justen [Turicas] <[email protected]> wrote: > On Mon, May 4, 2009 at 11:20 AM, mdipierro <[email protected]> wrote: > > Out 17 and 19 would not work (unless you use routes.py) because URL > > is validated and @ is not allowed, not even encoded. It is a security > > measure. > > What it prevents? > > > > > On May 4, 2:25 am, Yarko Tymciurak <[email protected]> wrote: > >> If you look at URL, you will see that args and vars are urllib.quote()-ed. > > >> In general, you do not want to undo this; but if your controller checks > >> for > >> email, you can see the effects, e.g.: > > >> In [17]: URL(r=request, f='mailme', args='[email protected]') > >> Out[17]: '/welcome/default/mailme/manny%40jack.moe' > > >> In [18]: URL(r=request, f='mailme', vars=dict(email='[email protected]')) > >> Out[18]: '/welcome/default/mailme?email=manny%40jack.moe' > > >> In [19]: urllib.unquote(URL(r=request, f='mailme', args='[email protected]')) > >> Out[19]: '/welcome/default/mailme/[email protected]' > > >> In [20]: urllib.unquote(URL(r=request, f='mailme', > >> vars=dict(email='[email protected] > >> oe'))) > >> Out[20]: '/welcome/default/[email protected]' > > >> But since you are only concerned with the string mapping of '%40' to '@', > >> you can do that more directly (and it would be safer than a general url > >> unquote()). > > >> -Yarko > > -- > Álvaro Justen > Peta5 - Telecomunicações e Software Livre > 21 3021-6001 / 9898-0141 > http://www.peta5.com.br/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
