On Tuesday, August 30, 2011 1:10:07 PM UTC-4, Phyo Arkar wrote: > > Wow > > thanks alot for the notice Anthony , thats such a big security hole. > > So , putting response.generic_patterns = ['json'] inside db.py , > will still re-open that vulnerability? > Yes, that would still be vulnerable.
> > Putting it on all views that return Json will be the safest? > Yes. In general, you can take one of two approaches (or some combination): - Be selective about which generic_patterns you enable for which specific requests -- only enable the specific generic views you need for specific functions. - Make sure your controller functions return only the variables and database records and fields that you are comfortable exposing to the public via generic views (i.e., don't return anything to the view that is not needed or is needed only conditionally for some authorized users). For example, in the view, don't do something like {{if auth.user:}}{{show some sensitive data returned by the controller action}} -- a generic view will expose the sensitive data because it won't check for auth.user. Anthony >