This is unsafe and may open the door to directory traversal attacks. download decurity relies on url regex validation and you are by- passing it.
On Jan 1, 12:05 pm, "Arun K.Rajeevan" <[email protected]> wrote: > I did just this and seems working > > args = request.raw_args > args = args.split('/') > > But now problem is with download function. > It works by taking filename from request.args > now, it should take value from request.raw_args > > My download function is following: > > def download(): > return response.download(request.raw_args,db) > > So I changed it to > > import os, time > filename = > os.path.join(request.folder,'uploads',request.raw_args.split('/')[0]) > return response.stream(open(filename,'rb')) > > now it shows images in page. But > before download button opened a save file box, now it's shown in a page. > (picture in text form) > > How to make the function open save file box?
