[web2py] Re: Say My Name Example not working, version 1.98.2
Thank you, all. Web2Py books has been really helpful in understanding this generics feature. On Aug 30, 3:36 pm, pbreit wrote: > If you only use generics during development (good practice), put this in > db.py or another model file: > > response.generic_patterns = ['*'] if request.is_local else []
Re: [web2py] Re: Say My Name Example not working, version 1.98.2
If you only use generics during development (good practice), put this in db.py or another model file: response.generic_patterns = ['*'] if request.is_local else []
[web2py] Re: Say My Name Example not working, version 1.98.2
On Tuesday, August 30, 2011 2:44:44 PM UTC-4, rami wrote: > > > Anthony, I do have a question though. Looking at your first approach, > how do I even know what generic_patterns or views I need for my > functions. It depends on how you want your functions to be accessed. As long as a given function has a specific named view associated with it, then you don't need a generic view at all. For example, if you have function 'myfunc' in /controllers/default.py, as long as you have a /views/default/myfunc.html view, you don't need a generic view for that function. Generic views are only used/needed when you don't have a specific view for a function. There's some explanation near the end of this book section: http://web2py.com/book/default/chapter/03#Say-Hello There is more detailed discussion in the context of services (JSON, XML): http://web2py.com/book/default/chapter/09#Generic-Views Anthony
[web2py] Re: Say My Name Example not working, version 1.98.2
"pbreit" above made me realize that when I was creating my first.html and second.html, I forgot to specify default/first and default/second and then click the create view, and not just first and second without the "default/". My bad! Thank you, pbreit! I am happy that I posted this question because some interesting discussion was generated. Anthony, thank you for your input and explaining the motivation of introducing the generics change in newer version of web2py. It makes sense! For now I am still letting this "response.generic_patterns = ['*']" because I am just trying to follow the tutorial and learn web2py and then worry more about the security issues. Anthony, I do have a question though. Looking at your first approach, how do I even know what generic_patterns or views I need for my functions. Could you direct me to some documentation to read more about it? Again, I just started working with web2py so I am not familiar with all this generics. Your help will further on be appreciated! On Aug 30, 10:34 am, Anthony wrote: > On Tuesday, August 30, 2011 1:31:56 PM UTC-4, Anthony wrote: > > > Yes. In general, you can take one of two approaches (or some combination): > > > - Be selective about which generic_patterns you enable for which > > specific requests -- only enable the specific generic views you need for > > specific functions. > > - Make sure your controller functions return only the variables and > > database records and fields that you are comfortable exposing to the > > public > > via generic views (i.e., don't return anything to the view that is not > > needed or is needed only conditionally for some authorized users). For > > example, in the view, don't do something like {{if auth.user:}}{{show > > some sensitive data returned by the controller action}} -- a generic > > view will expose the sensitive data because it won't check for auth.user. > > > I should add that because it's fairly easy to slip up regarding the second > > approach, it's probably wise to rely more on the first approach (i.e., be > explicit whenever you are enabling a generic view). > > Anthony
Re: [web2py] Re: Say My Name Example not working, version 1.98.2
On Tuesday, August 30, 2011 1:10:07 PM UTC-4, Phyo Arkar wrote: > > Wow > > thanks alot for the notice Anthony , thats such a big security hole. > > So , putting response.generic_patterns = ['json'] inside db.py , > will still re-open that vulnerability? > Yes, that would still be vulnerable. > > Putting it on all views that return Json will be the safest? > Yes. In general, you can take one of two approaches (or some combination): - Be selective about which generic_patterns you enable for which specific requests -- only enable the specific generic views you need for specific functions. - Make sure your controller functions return only the variables and database records and fields that you are comfortable exposing to the public via generic views (i.e., don't return anything to the view that is not needed or is needed only conditionally for some authorized users). For example, in the view, don't do something like {{if auth.user:}}{{show some sensitive data returned by the controller action}} -- a generic view will expose the sensitive data because it won't check for auth.user. Anthony >
Re: [web2py] Re: Say My Name Example not working, version 1.98.2
On Tuesday, August 30, 2011 1:31:56 PM UTC-4, Anthony wrote: > > > Yes. In general, you can take one of two approaches (or some combination): > >- Be selective about which generic_patterns you enable for which >specific requests -- only enable the specific generic views you need for >specific functions. >- Make sure your controller functions return only the variables and >database records and fields that you are comfortable exposing to the > public >via generic views (i.e., don't return anything to the view that is not >needed or is needed only conditionally for some authorized users). For >example, in the view, don't do something like {{if auth.user:}}{{show >some sensitive data returned by the controller action}} -- a generic >view will expose the sensitive data because it won't check for auth.user. > > I should add that because it's fairly easy to slip up regarding the second approach, it's probably wise to rely more on the first approach (i.e., be explicit whenever you are enabling a generic view). Anthony
Re: [web2py] Re: Say My Name Example not working, version 1.98.2
On Tuesday, August 30, 2011 1:00:29 PM UTC-4, pbreit wrote: > > Are we defaulting generics "on" for request.is_local? Not at the framework level, but db.py in the 'welcome' app includes a line defaulting to all generics being on for request.is_local (and all off otherwise). Anthony
Re: [web2py] Re: Say My Name Example not working, version 1.98.2
Wow thanks alot for the notice Anthony , thats such a big security hole. So , putting response.generic_patterns = ['json'] inside db.py , will still re-open that vulnerability? Putting it on all views that return Json will be the safest? On 8/30/11, Anthony wrote: > On Tuesday, August 30, 2011 8:05:59 AM UTC-4, Phyo Arkar wrote: >> >> I having the same problem , with all my json calls , which are not with >> jsonrpc. >> I found this post and i tried adding >> >> response.generic_patterns = ['*'] >> >> and it worked! Thanks alot rammi you save a life.I will never updating >> web2py unless something major improved. >> > Note, changes in web2py only cause breaks like this when they are fixing > bugs or resolving a security vulnerability. In this case, there was a > security vulnerability, and it might be good that it broke your application, > because it could prompt you to discover and fix a vulnerability. In fact, > you probably should not simply set response.generic_patterns = ['*'], as > that will completely restore the old behavior and therefore leave you open > to the vulnerability. Instead, you should be more specific with > response.generic_patterns. > > If you enable generic.json for all requests (which is what you have done), > then a malicious user can go to _any_ function in _any_ controller in you > app (even functions that you do not intend to serve via JSON) and get a JSON > view of whatever is returned by that function. If your function returns any > variables that you do not want exposed to all users or returns a database > select that includes some fields you do not want to expose to all users, > those variables and fields will be exposed via JSON. For example, if you > return some user records to a view (e.g., a list of users/members), all > fields will be exposed (including the password field). > > To be safest, it is best to conditionally set response.generic_patterns = > ['json'] only when needed. You could set it inside the functions that need > to serve JSON, or set it conditionally in a model depending on the incoming > request. Note, generic_patterns can be a list of globs that match the > incoming controller/function.extension. > > Anthony > >>
Re: [web2py] Re: Say My Name Example not working, version 1.98.2
Are we defaulting generics "on" for request.is_local?
[web2py] Re: Say My Name Example not working, version 1.98.2
I know this myight be a silly question, but how do I install this app? Do I have to put it in the same folder as where my web2py is at? Right now I am accessing web2py admin interface through HTTP from another computer where I have downloaded this saymyname app. So When I am on this other computer and I try to upload it tells me I can't upload because i get this error: Unable to download app because: [Errno 2] No such file or directory: 'saymyname' So basically I am using apache server with mod_wsgi and a virtual host to run web2py on the server I am accessing the admin interface. Thanks, Beatris. On Aug 29, 2:36 pm, Omi Chiba wrote: > Rami, > > I'm using the same version and just follow the chapter but It works > fine. > It runs under Rocket WSGI web server comming with web2py. If you are > using another web server, then you should check the configuration. Or > it could be a typo somewhere. I will send youmyapp to your mail > address. > > On Aug 29, 2:29 pm, rami wrote: > > > > > > > > > I recently decided to try web2py and so I am going through the > > tutorials in Chapter 3. > > I have Version 1.98.2. When I got to theSayMyNameExample, I > > followed the steps, but I found out that I have to add > > response.generic_patterns = ['*'] because I kept getting "Invalid > > View". > > Ok, so inmydefault controller I did this: > > > def first(): > > response.generic_patterns = ['*'] > > return dict() > > > def second(): > > response.generic_patterns = ['*'] > > return dict() > > > Then under views, I created first.html and second html: > > <<<>>> > > {{extend 'layout.html'}} > > What is yourname? > > > > > > > > > > > <<<>>> > > {{extend 'layout.html'}} > > Hello {{=request.vars.visitor_name}} > > > Now when I try to see first.html, it just displays "First" as a title, > > but no form is present. > > > Any ideas why this is happening?? > > > Thank you!
Re: [web2py] Re: Say My Name Example not working, version 1.98.2
On Tuesday, August 30, 2011 8:05:59 AM UTC-4, Phyo Arkar wrote: > > I having the same problem , with all my json calls , which are not with > jsonrpc. > I found this post and i tried adding > > response.generic_patterns = ['*'] > > and it worked! Thanks alot rammi you save a life.I will never updating > web2py unless something major improved. > Note, changes in web2py only cause breaks like this when they are fixing bugs or resolving a security vulnerability. In this case, there was a security vulnerability, and it might be good that it broke your application, because it could prompt you to discover and fix a vulnerability. In fact, you probably should not simply set response.generic_patterns = ['*'], as that will completely restore the old behavior and therefore leave you open to the vulnerability. Instead, you should be more specific with response.generic_patterns. If you enable generic.json for all requests (which is what you have done), then a malicious user can go to _any_ function in _any_ controller in you app (even functions that you do not intend to serve via JSON) and get a JSON view of whatever is returned by that function. If your function returns any variables that you do not want exposed to all users or returns a database select that includes some fields you do not want to expose to all users, those variables and fields will be exposed via JSON. For example, if you return some user records to a view (e.g., a list of users/members), all fields will be exposed (including the password field). To be safest, it is best to conditionally set response.generic_patterns = ['json'] only when needed. You could set it inside the functions that need to serve JSON, or set it conditionally in a model depending on the incoming request. Note, generic_patterns can be a list of globs that match the incoming controller/function.extension. Anthony >
Re: [web2py] Re: Say My Name Example not working, version 1.98.2
I having the same problem , with all my json calls , which are not with jsonrpc. I found this post and i tried adding response.generic_patterns = ['*'] and it worked! Thanks alot rammi you save a life.I will never updating web2py unless something major improved. On 8/30/11, Omi Chiba wrote: > Rami, > > I'm using the same version and just follow the chapter but It works > fine. > It runs under Rocket WSGI web server comming with web2py. If you are > using another web server, then you should check the configuration. Or > it could be a typo somewhere. I will send you my app to your mail > address. > > On Aug 29, 2:29 pm, rami wrote: >> I recently decided to try web2py and so I am going through the >> tutorials in Chapter 3. >> I have Version 1.98.2. When I got to the Say My Name Example, I >> followed the steps, but I found out that I have to add >> response.generic_patterns = ['*'] because I kept getting "Invalid >> View". >> Ok, so in my default controller I did this: >> >> def first(): >> response.generic_patterns = ['*'] >> return dict() >> >> def second(): >> response.generic_patterns = ['*'] >> return dict() >> >> Then under views, I created first.html and second html: >> <<<>>> >> {{extend 'layout.html'}} >> What is your name? >> >> >> >> >> >> <<<>>> >> {{extend 'layout.html'}} >> Hello {{=request.vars.visitor_name}} >> >> Now when I try to see first.html, it just displays "First" as a title, >> but no form is present. >> >> Any ideas why this is happening?? >> >> Thank you!
[web2py] Re: Say My Name Example not working, version 1.98.2
Rami, I'm using the same version and just follow the chapter but It works fine. It runs under Rocket WSGI web server comming with web2py. If you are using another web server, then you should check the configuration. Or it could be a typo somewhere. I will send you my app to your mail address. On Aug 29, 2:29 pm, rami wrote: > I recently decided to try web2py and so I am going through the > tutorials in Chapter 3. > I have Version 1.98.2. When I got to the Say My Name Example, I > followed the steps, but I found out that I have to add > response.generic_patterns = ['*'] because I kept getting "Invalid > View". > Ok, so in my default controller I did this: > > def first(): > response.generic_patterns = ['*'] > return dict() > > def second(): > response.generic_patterns = ['*'] > return dict() > > Then under views, I created first.html and second html: > <<<>>> > {{extend 'layout.html'}} > What is your name? > > > > > > <<<>>> > {{extend 'layout.html'}} > Hello {{=request.vars.visitor_name}} > > Now when I try to see first.html, it just displays "First" as a title, > but no form is present. > > Any ideas why this is happening?? > > Thank you!
[web2py] Re: Say My Name Example not working, version 1.98.2
Are the view files in "views" (incorrect) or "views/default" (correct)? You don't need "response.generic_patterns = ['*'] " when you are creating view files. You can put "response.generic_patterns = ['*']" in db.py model file so that it applies to your whole app.