hi,
> of directory traversal attacks (~ specifically).
how exactly?
I am talking about arguments and only arguments.
I agree that ~ in case of application/controller/method makes no sense
In case of static agree 100%, but that is different control path.
The arguments are just that, arguments. If you put such a blanket
statement about arguments in url, should you also do it for forms? At
the end these are also arguments and someone may take it 1:1 and feed
into 'open'.
It is up to the controller to decide what to do with args. I believe
nobody takes anything what comes from browser (args or form elements)
and try to use it as argument of the 'open'. In case of web2py, DAL
delivers already a perfect mechanism to take whatever comes and
convert into reasonable name:
filename=db.table.field.store(content,whatever_convoluted_name_we_get).
To be specific about the args filtering:
agrs must match:
regex_args = re.compile(r'''
(^
(?P<s>
( [\w@/-][=.]? )* # s=args
)?
/?$) # trailing slash
''', re.X)
what I suggest is:
regex_args = re.compile(r'''
(^
(?P<s>
( [~\w@/-][=.]? )* # s=args
)?
/?$) # trailing slash
''', re.X|re.U)
Cheers,
Pawel
