On Tuesday, August 30, 2011 1:10:07 PM UTC-4, Phyo Arkar wrote:
>
> Wow
>
> thanks alot for the notice Anthony , thats such a big security hole.
>
> So , putting response.generic_patterns = ['json'] inside db.py ,
> will still re-open that vulnerability?
>
Yes, that would still be vulnerable.
>
> Putting it on all views that return Json will be the safest?
>
Yes. In general, you can take one of two approaches (or some combination):
- Be selective about which generic_patterns you enable for which specific
requests -- only enable the specific generic views you need for specific
functions.
- Make sure your controller functions return only the variables and
database records and fields that you are comfortable exposing to the public
via generic views (i.e., don't return anything to the view that is not
needed or is needed only conditionally for some authorized users). For
example, in the view, don't do something like {{if auth.user:}}{{show
some sensitive data returned by the controller action}} -- a generic view
will expose the sensitive data because it won't check for auth.user.
Anthony
>
