hi,
thanks! That solved my ~ problem.
Unfortunately for my öäü (chars above 128 and below 255 in latin-1) I
still need to overcome 2 challenges:
1. re.U must be supplied to compile or match to take advantage of
unicode interpretation of \w.
I could shift compile into the routes.py. Is it acceptable?
2. at some point before match call args have to be subjected to
decode('utf-8') to become unicode
Any suggestions?
--Pawel
On Oct 25, 9:18 pm, Jonathan Lundell <[email protected]> wrote:
> On Oct 25, 2011, at 11:57 AM, Pawel Jasinski <[email protected]> wrote:
>
> > hi,
>
> >> of directory traversal attacks (~ specifically).
> > how exactly?
>
> > I am talking about arguments and only arguments.
> > I agree that ~ in case of application/controller/method makes no sense
> > In case of static agree 100%, but that is different control path.
>
> If you enable the parametric router, you'll get the kind of args handling you
> want, with the added feature that you can rewrite the args validation regex.
>
>
>
>
>
>
>
>
>
> > The arguments are just that, arguments. If you put such a blanket
> > statement about arguments in url, should you also do it for forms? At
> > the end these are also arguments and someone may take it 1:1 and feed
> > into 'open'.
> > It is up to the controller to decide what to do with args. I believe
> > nobody takes anything what comes from browser (args or form elements)
> > and try to use it as argument of the 'open'. In case of web2py, DAL
> > delivers already a perfect mechanism to take whatever comes and
> > convert into reasonable name:
> > filename=db.table.field.store(content,whatever_convoluted_name_we_get).
>
> > To be specific about the args filtering:
>
> > agrs must match:
> > regex_args = re.compile(r'''
> > (^
> > (?P<s>
> > ( [\w@/-][=.]? )* # s=args
> > )?
> > /?$) # trailing slash
> > ''', re.X)
>
> > what I suggest is:
> > regex_args = re.compile(r'''
> > (^
> > (?P<s>
> > ( [~\w@/-][=.]? )* # s=args
> > )?
> > /?$) # trailing slash
> > ''', re.X|re.U)
>
> > Cheers,
> > Pawel
