request.args encoding

[Mirek Zvolský]

If I use

URL('action', args=("a#b", "a:b"))

I will receive

request.args == ['a_b', 'a_b']

So I need to use something like base64.b32encode() for each one item from args.

Probably this is "by design" behaviour,

but I'm curious why is it so?

urllib.quote / .unqoute returns the original value a#b, a:b

[web2py 2.14.5]

[Martin Weissenboeck]

Try URL('action', vars=dict(arg0='a#b', arg1='a:b'))

> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Massimo Di Pierro]

web2py restricts what chars can be in the args to avoid problems. For example # cannot be in the args because it is used to separate the hash. Also often the args are used to access files or other resources and we want to protect against possible insecure direct object reference attacks (https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References)

[Anthony]

Note, if you are confident you can validate the input and won't be subject to the security concerns Massimo mentioned, you can access the original untransformed args via request.raw_args. Note, that is the entire arg string, including the "/" separators (i.e., it is not converted to a list of args).

Anthony