#2336: possible security hole in default error handler
----------------------------------+-----------------------------------------
Reporter: diefans | Owner:
Type: defect | Status: new
Priority: highest | Milestone: 2.0
Component: TurboGears | Version: 2.0
Severity: critical | Resolution:
Keywords: javascript injection |
----------------------------------+-----------------------------------------
Comment (by jorge.vargas):
Could you provide an example call to that controller that will display an
alert() window? From looking at how it is handle it should not be possible
to put that in the URL as it is an indirection call to the
errormiddleware. Neither GET or POST.
http://localhost:8080/error/document?status_int=3
returns AttributeError: 'NoneType' object has no attribute 'status_int'
with WebError on.
--
Ticket URL: <http://trac.turbogears.org/ticket/2336#comment:2>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
-~----------~----~----~----~------~----~------~--~---
