Massimo, Is there any security provision that would prevent someone from doing a symbolic link substitution for the '../static' folder in Web2Py?
On Jun 28, 7:32 pm, mdipierro <[email protected]> wrote: > No. Let's step back for a sacond. > > Say you have a file in path="/home/you/somewhere/file.txt" the path > allows you to identify the file and web2py server side can access the > file using > > open(path,'r').read() or open(path,'w').write() > > nevertheless this file cannot be requested remotely. There is no URL > that maps into this file. web2py does not allow it for security > reasons. A URL is not a path. > > If a file has path="/home/you/somewhere/web2py/applications/yourapp/ > static/there/file.txt" than this file is under the static folder of a > web2py app (yourapp) and it is visible from outside. The web2py URL of > this file is > > http://127.0.0.1:8000/yourapp/static/there/file.txt > > You can build the "/yourapp/static/there/file.txt" path of the URL > using the following web2py function: > > URL(a=request.application,c='static',f='there/file.txt') > > where a is the applicaiton name, c= is the controller you want (the > one that grabs from static folder) and f is the actual filename under > the static folder. If you are calling the above function from the app > yourapp you can use the shortcut > > URL(r=request,c='static',f='there/file.txt') > > so that it figure out the request.application from the r = request > object. > > NEVER mix file system paths with URL paths. > > Massimo > > On Jun 28, 6:33 pm, weheh <[email protected]> wrote: > > > Along this line of using URLs and joins, I'm doing the following but > > it's not working for me: > > > input_file = URL(r=request,a='static',c='temp',f='test.txt') > > ifile=open(input_file,'w') > > > This doesn't work, either: > > > input_file = os.path.join(request.folder,URL > > (r=request,a='static',c='temp',f='test.txt')) > > ifile=open(input_file,'w') > > > In both cases I get > > > IOError: [Errno 2] No such file or directory: '/static/temp/test.txt' --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
