On Jan 1, 2011, at 10:05 AM, Arun K.Rajeevan wrote:
> I did just this and seems working
>
> args = request.raw_args
> args = args.split('/')
>
> But now problem is with download function.
> It works by taking filename from request.args
> now, it should take value from request.raw_args
>
> My download function is following:
>
> def download():
> return response.download(request.raw_args,db)
I suggest this:
file_match = re.compile(r'([\w@ -][=.]?)+$')
def download():
file = request.raw_args.split('/')[-1]
if not file_match.match(file):
raise HTTP(400, thread.routes.error_message % 'invalid request',
web2py_error='invalid args')
request.args = [file]
return response.download(request, db)
Notice that response.download will be looking at args[-1]; that's why we're
taking [-1] above.
Massimo's point is important: when you use raw_args, it's your responsibility
to validate each arg; otherwise you're opening yourself up to attack.
file_match above is the standard arg-checking pattern.
>
> So I changed it to
>
> import os, time
> filename =
> os.path.join(request.folder,'uploads',request.raw_args.split('/')[0])
> return response.stream(open(filename,'rb'))
>
> now it shows images in page. But
> before download button opened a save file box, now it's shown in a page.
> (picture in text form)
>
> How to make the function open save file box?
