On Oct 25, 2011, at 2:06 PM, Pawel Jasinski wrote: > hi, > > thanks! That solved my ~ problem. > > Unfortunately for my öäü (chars above 128 and below 255 in latin-1) I > still need to overcome 2 challenges: > > 1. re.U must be supplied to compile or match to take advantage of > unicode interpretation of \w. > I could shift compile into the routes.py. Is it acceptable?
I think so, yes. > > 2. at some point before match call args have to be subjected to > decode('utf-8') to become unicode > Any suggestions? I'd like to do this right, but I'm a little confused. Do we need to consider Punycode, for example? Or is that just for domain names? > > --Pawel > > > On Oct 25, 9:18 pm, Jonathan Lundell <jlund...@pobox.com> wrote: >> On Oct 25, 2011, at 11:57 AM, Pawel Jasinski <pawel.jasin...@gmail.com> >> wrote: >> >>> hi, >> >>>> of directory traversal attacks (~ specifically). >>> how exactly? >> >>> I am talking about arguments and only arguments. >>> I agree that ~ in case of application/controller/method makes no sense >>> In case of static agree 100%, but that is different control path. >> >> If you enable the parametric router, you'll get the kind of args handling >> you want, with the added feature that you can rewrite the args validation >> regex. >> >> >> >> >> >> >> >> >> >>> The arguments are just that, arguments. If you put such a blanket >>> statement about arguments in url, should you also do it for forms? At >>> the end these are also arguments and someone may take it 1:1 and feed >>> into 'open'. >>> It is up to the controller to decide what to do with args. I believe >>> nobody takes anything what comes from browser (args or form elements) >>> and try to use it as argument of the 'open'. In case of web2py, DAL >>> delivers already a perfect mechanism to take whatever comes and >>> convert into reasonable name: >>> filename=db.table.field.store(content,whatever_convoluted_name_we_get). >> >>> To be specific about the args filtering: >> >>> agrs must match: >>> regex_args = re.compile(r''' >>> (^ >>> (?P<s> >>> ( [\w@/-][=.]? )* # s=args >>> )? >>> /?$) # trailing slash >>> ''', re.X) >> >>> what I suggest is: >>> regex_args = re.compile(r''' >>> (^ >>> (?P<s> >>> ( [~\w@/-][=.]? )* # s=args >>> )? >>> /?$) # trailing slash >>> ''', re.X|re.U) >> >>> Cheers, >>> Pawel