i do not understand the question. If you are talking about directory traversal attacks, they are prevented by URL validation. A folder under static can be a symbolic link.
Massimo On Jun 29, 11:22 am, JohnMc <[email protected]> wrote: > Massimo, > > Is there any security provision that would prevent someone from doing > a symbolic link substitution for the '../static' folder in Web2Py? > > On Jun 28, 7:32 pm, mdipierro <[email protected]> wrote: > > > No. Let's step back for a sacond. > > > Say you have a file in path="/home/you/somewhere/file.txt" the path > > allows you to identify the file and web2py server side can access the > > file using > > > open(path,'r').read() or open(path,'w').write() > > > nevertheless this file cannot be requested remotely. There is no URL > > that maps into this file. web2py does not allow it for security > > reasons. A URL is not a path. > > > If a file has path="/home/you/somewhere/web2py/applications/yourapp/ > > static/there/file.txt" than this file is under the static folder of a > > web2py app (yourapp) and it is visible from outside. The web2py URL of > > this file is > > > http://127.0.0.1:8000/yourapp/static/there/file.txt > > > You can build the "/yourapp/static/there/file.txt" path of the URL > > using the following web2py function: > > > URL(a=request.application,c='static',f='there/file.txt') > > > where a is the applicaiton name, c= is the controller you want (the > > one that grabs from static folder) and f is the actual filename under > > the static folder. If you are calling the above function from the app > > yourapp you can use the shortcut > > > URL(r=request,c='static',f='there/file.txt') > > > so that it figure out the request.application from the r = request > > object. > > > NEVER mix file system paths with URL paths. > > > Massimo > > > On Jun 28, 6:33 pm, weheh <[email protected]> wrote: > > > > Along this line of using URLs and joins, I'm doing the following but > > > it's not working for me: > > > > input_file = URL(r=request,a='static',c='temp',f='test.txt') > > > ifile=open(input_file,'w') > > > > This doesn't work, either: > > > > input_file = os.path.join(request.folder,URL > > > (r=request,a='static',c='temp',f='test.txt')) > > > ifile=open(input_file,'w') > > > > In both cases I get > > > > IOError: [Errno 2] No such file or directory: '/static/temp/test.txt' --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
