Note, if you are confident you can validate the input and won't be subject to the security concerns Massimo mentioned, you can access the original untransformed args via request.raw_args. Note, that is the entire arg string, including the "/" separators (i.e., it is not converted to a list of args).
Anthony On Wednesday, July 27, 2016 at 1:53:53 PM UTC-4, Massimo Di Pierro wrote: > > web2py restricts what chars can be in the args to avoid problems. For > example # cannot be in the args because it is used to separate the hash. > Also often the args are used to access files or other resources and we want > to protect against possible insecure direct object reference attacks ( > https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References > ) > > > On Wednesday, 27 July 2016 06:32:59 UTC-5, Mirek Zvolský wrote: >> >> If I use >> URL('action', args=("a#b", "a:b")) >> >> I will receive >> request.args == ['a_b', 'a_b'] >> >> So I need to use something like base64.b32encode() for each one item from >> args. >> >> >> Probably this is "by design" behaviour, >> but I'm curious why is it so? >> >> urllib.quote / .unqoute returns the original value a#b, a:b >> >> >> [web2py 2.14.5] >> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
