On Wednesday, July 6, 2011 1:20:30 AM UTC-4, GoldenTiger wrote: > > I referred to generic views by default, like > http://web2py.com/examples/simple_examples/hello6 > and discussed recently here > > Invalid view in 1.97.1: > > https://groups.google.com/group/web2py/browse_thread/thread/c3a14f5ee0997e2a/3b6898c0e70e8dd2 > > > I agree the security issue, in fact I have thought so since ever, but > in my opinion, It has not been taken on mind some cases affected by > this change
Do you have a suggested alternative? I think this is a case where we cannot both maintain backward compatibility _and_ fix the security vulnerability. Note, if any of your apps were broken by this security fix, you can restore those apps to their original behavior by adding just a single line to any model file: response.generic_patterns = ['*'] However, it would probably be wise to instead be more selective with which generic views are available for which requested controllers/functions (which is the intention behind the new response.generic_patterns functionality). Anthony
