On 5/6/07, gsmith <[EMAIL PROTECTED]> wrote:
...
> (r'^csi/rso/(minutes)/(\w{1,100})/$',
> 'mysite.rso.views_rso.showminutespage'),
>
> /////////
>
> view
>
> def showminutespage(request, thetable, partitle):
> thetabinfo = eval(thetable).objects.get(id=partitle)
> return render_to_response(thetable + '_detail.html', {'thetabinfo':
> thetabinfo, 'leftnav': leftnav.objects.all(), 'secondstuff':
> minutes.lmembers.all()})
To answer your immediate question: where is "minutes" coming from there? :)
Try this in your template:
{% for member in thetabinfo.lmembers.all %}
{{ member }}
{% endfor %}
The way you have your code, 'thetabinfo' is an instance of minutes, so
that's what you need to ask for related lmembers *not* the minutes
class.
Now that that's out of the way, never *ever* eval code that's from an
untrusted source -- and the URL is most definitely untrusted. In this
case, the only value 'thetable' could get is 'minutes', but it looks
like you're intending to generalize this or you wouldn't be bothering
to make it a view parameter. It's a nice thought, but don't do it
using eval. If you get the wildcard wrong later, I could delete files
on your server by requesting a URL. That's bad.
Instead, if you need the generalization, do something like this:
allowed_tables = {'minutes':minutes}
def vwrapper(request, thetable, partitle):
if not thetable in allowed_tables:
return Http404
themodel = allowed_tables[thetable]
therow = themodel.objects.get(pk=partitle)
#rest of view...
This way, if something surprising shows up for 'thetable', a 404 is
raised rather than allowing arbitrary code execution.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
