On 17/11/11 18:36, Carl Meyer wrote:
> I do, however, think that the tight coupling we currently have between
> INSTALLED_APPS and "what templatetag libraries are available for
> load", while a reasonable default for an integrated framework, is an
> unfortunate restriction on use of the template system, which I hope
> can be lifted by #17093.
Agreed.
> And I also don't agree that efforts to use the template language in a
> "sandboxed" way are doomed to failure: if you can instantiate a
> template instance with an explicitly-limited set of templatetag
> libraries (which #17093 would allow), and you can control exactly what
> data is put into the template context, I think you _can_ make
> templates safe for untrusted use. Obviously it requires care.
It's pretty easy to produce a DOS attack using only builtin template
tags and filters, and a completely empty context e.g.:
{% for a in "xxxxxxxxxxxxxxx"|make_list %}
{% for a in "xxxxxxxxxxxxxxx"|make_list %}
{# etc #}
{% endfor %}
{% endfor %}
I'm sure there must be other ways to do this, and there may well be
different other types of flaws. I guess it depends on what you mean by
'safe', but we certainly haven't built the template system with this in
mind.
Luke
--
The probability of someone watching you is proportional to the
stupidity of your action.
Luke Plant || http://lukeplant.me.uk/
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
