hi, > of directory traversal attacks (~ specifically). how exactly?
I am talking about arguments and only arguments. I agree that ~ in case of application/controller/method makes no sense In case of static agree 100%, but that is different control path. The arguments are just that, arguments. If you put such a blanket statement about arguments in url, should you also do it for forms? At the end these are also arguments and someone may take it 1:1 and feed into 'open'. It is up to the controller to decide what to do with args. I believe nobody takes anything what comes from browser (args or form elements) and try to use it as argument of the 'open'. In case of web2py, DAL delivers already a perfect mechanism to take whatever comes and convert into reasonable name: filename=db.table.field.store(content,whatever_convoluted_name_we_get). To be specific about the args filtering: agrs must match: regex_args = re.compile(r''' (^ (?P<s> ( [\w@/-][=.]? )* # s=args )? /?$) # trailing slash ''', re.X) what I suggest is: regex_args = re.compile(r''' (^ (?P<s> ( [~\w@/-][=.]? )* # s=args )? /?$) # trailing slash ''', re.X|re.U) Cheers, Pawel