Wow! web2py even has a webpage at http://pythonsecurity.tumblr.com/post/807089821/web2py-a-framework-that-cares-about-security
Anyway, I just came across this http://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_Framework_Manifesto/Releases/Current/Manifesto I guess it is a read for anybody interested in web framework security On Mar 2, 10:59 am, Massimo Di Pierro <massimo.dipie...@gmail.com> wrote: > Python has 31 keywords. exec is one of them. It cannot be that > evil ;-) > > It is childish to criticize web2py for the use of a keyword without > understanding the algorithm in which the keyword is used. > > Web2py was audited for security and did well: > > http://www.pythonsecurity.org/wiki/web2py/ > > In fact we do not use exec or eval with user input, only with server- > side code or code provided by the system administrator. > > Since then, Django has reported major vulnerabilities: > > http://www.linuxsecurity.com/content/view/154384/100/ > http://www.f-secure.com/vulnerabilities/SA200905517 > http://cvedetails.com/cve/CVE-2011-0698/ > http://cvedetails.com/cve/CVE-2010-4534/ > > I am sorry to say people who spread these rumors are buying into the > propaganda and not thinking with their head. Smart people will look at > the credentials, education and professional experience of the > developers as opposed to how much they blog. > > The only argument that has merit is Mitsuhiko's argument that we > should not exec code that contains classes with a __del__ method or > this will result in a memory leak. We know that and we do not do it. > It is a small price to pay for what it gives us. It is not something > that we want to get rid of. > > Massimo > > On Mar 1, 8:50 pm, pbreit <pbreitenb...@gmail.com> wrote: > > > > > > > > > Would there be any way to close the gap at all? I have liked working with > > Web2py so far but I feel like the argument above may have some merit and > > should not be dismissed.
