web2py 2.23.0 is giving a 403 error when I try to package my applications

[Davidiam]

Good Morning,

We are using IIS 10 with web2py 2.23.0.

When I try to pack the welcome application (or any other), using pack_all I get a 403 error.

When I try to pack the welcome application (or any other), using pack_custom, it first displays the file selector and when I click on download as .w2p I get a 403 error.

This seems to be related to the open_redirect changes.  I tried putting the 403 error related code from the admin\default.py controller in comment, but it still is giving the error.  

Kind Regards,

David

[Davidiam]

I just did a test on my own PC with web2py out of the box and I got a 403 error when packing the application.  Now that I know that it has nothing to do with the webserver, I will try to debug the issue.

I will debug the issue to determine where in the code it is occurring.

[Davidiam]

I found where this is occurring (out of the box run, no mods):

C:\Users\u30591\web2py_2.23.0\web2py\applications\admin\controllers\default.py:

def safe_open(a, b):

    if (DEMO_MODE or is_gae) and ('w' in b or 'a' in b):

        class tmp:

            def write(self, data):

                pass

            def close(self):

                pass

        return tmp()

    a_for_check = os.path.abspath(os.path.normpath(a))

    web2py_apps_root = os.path.abspath(up(request.folder))

    if not a_for_check.startswith(web2py_apps_root):

        raise HTTP(403) 

Because:

web2py_apps_root = 'C:\\Users\\myuser\\web2py_2.23.0\\web2py\\applications'

a_for_check =  'C:\\Users\\myuser\\web2py_2.23.0\\web2py\\deposit\\web2py.app.403_test.w2p'

On Thursday, January 5, 2023 at 9:54:07 AM UTC+1 Davidiam wrote:

[Davidiam]

Which is in turn caused by:

def app_pack(app, request, raise_ex=False, filenames=None):

    """Builds a w2p package for the application

    Args:

        app(str): application name

        request: the global request object

    Returns:

        filename of the w2p file or None on error

    """

    try:

        if filenames is None:

            app_cleanup(app, request)

        filename = apath('../deposit/web2py.app.%s.w2p' % app, request)

        w2p_pack(filename, apath(app, request), filenames=filenames)

        return filename

    except Exception as e:

        if raise_ex:

            raise

        return False

[Clemens]

Just a guess: What python version are you using? If you're still using python 2, it could be the reason.

[Davidiam]

I am using python 3.9.15

[pcg...@gmail.com]

Have the same issue (python 3.10)  i've tried the latest web2py 2.23.1, and it's th same.   I'm kind of lost on this one.

[Davidiam]

Hi pcg,

I also created a bug report for this one and got a message from Massimo that it would be fixed in a new release.  A work-around I used was to simply put the code below in the admin default.py into comment:

    #if not a_for_check.startswith(web2py_apps_root):

    #    raise HTTP(403) 

But I don't know what the final solution will be in the official fix.

Kind Regards,

David

[pcwalden]

I submitted an issue #2457 a month ago. Please leverage that one.

[Massimo Di Pierro]

This has been fixed and 2.24.1 released. My apologies for overlooking the issue.