RE: [web2py] Re: Potential site trust abuse with default web2py setting?
I think I'd prefer to see the checking for external redirects in the redirect() function itself. Perhaps on a redirect() to an external page the user should be taken to a warning page that they are about to exit the web2py site, and ask them if they're sure they want to continue. This could be made bypassable via an extra parameter to redirect, or a site wide safe list of external redirects. From: web2py@googlegroups.com [mailto:web...@googlegroups.com] On Behalf Of Bruno Rocha Sent: Tuesday, November 23, 2010 1:00 PM To: web2py@googlegroups.com Subject: Re: [web2py] Re: Potential site trust abuse with default web2py setting? I think this can to be default (security matters), but needs to be configurable. def avoid_external_next(): if request.controller=='default' and request.function=='user': if request.vars._next and request.vars._next.startswith('http'): del request.vars._next at the models level: if some_setup_storage.avoid_external_next: avoid_external_next() than, this will always be default, and executed until the user sets some_setup_storage.avoid_external_next = False Or something like this. 2010/11/23 mdipierro mdipie...@cs.depaul.edumailto:mdipie...@cs.depaul.edu Actually I appreciate you raising this issue and this is a healthy discussion. Security issues are very important for everybody here so thank you for bringing this up. Although I do not think this is a major issue I agree that it should be avoided. One way to void is by adding this in one of your models: if request.controller=='default' and request.function=='user': if request.vars._next and request.vars._next.startswith('http'): del request.vars._next This will guarantee that only internal URLs can be passed via _next. Such mechanism could be made default behavior but I need to check that does not break anything. What do you think? What do other people think? Massimo On Nov 23, 11:45 am, Richard G richard.ga...@gmail.commailto:richard.ga...@gmail.com wrote: Sorry, I am not saying that a web2py site is susceptible to CSRF. I meant that a web2py site could be used 'in the process' to perform a request that match these criteria on another site. I find it weird to click on a link that is going to a legitimate web2py site, and loads this legitimate web2py site, but then redirects to an external site, only after I authenticate. (Based on using authentication). Again, a simple example scenario: ie: I receive a fraudulent email, asking me to update password.. click on it (yes.. first mistake), it redirects me to a legitimate web2py site (I think, maybe the email was not fraudulent?), which on this web2py site after I perform an action, redirects me to another site. I agree that a few items have to fall in place for this abuse to occur. But it still seems that at one point in the process, the user has placed trust in our site, and then our site redirects them elsewhere. If the community believes form submission redirection based on the forms variables is not a threat to our environment (It doesn't present a tangible risk to our site, but I see it as posing a risk to our site's trust, and thus our user's trust) then I'll stop arguing :) Again, thanks! On Nov 23, 10:57 am, mdipierro mdipie...@cs.depaul.edumailto:mdipie...@cs.depaul.edu wrote: What you suggest is indeed possible but... This is not an example of CRSF. CRSF is when a malicous site redirects the user to a site where the user is already authenticated (a web2py site) and forces the user to perform action (for example submit a form). web2py prevents this by hiding a formkey in forms. When you suggest is an example of phishing. For the scam to work the victim would have to: 1) start from the malicious web site 2) login with a url provided by the malicious web site 3) provide credentials to a clone of the original web site. If a user falls for 1,2,3 there are much easier ways to implement this scam even if web2py did not provide the next functionality and without redirecting at all to the web2py site. I do not do believe this kind of phishing can be avoided. We can have a flag that checks whether _next is on a different domain but it would not prevent this type of scam, just this particular implementation. Massimo On Nov 23, 10:42 am, Richard G richard.ga...@gmail.commailto:richard.ga...@gmail.com wrote: Howdy all, In web2py I've noticed a number of methods in gluon/tools.py that utilize client input to determine site flow: if next == DEFAULT: next = request.get_vars._next \ or request.post_vars._next \ or self.settings.login_next and subsequent if next and not next[0] == '/' and next[:4] != 'http': next = self.url(next.replace('[id]', str(form.vars.idhttp://form.vars.id))) redirect(next) Methods: AUTH: login , register, retieve_username,
RE: [web2py] Re: plugin model execution order
Hey, Just wanted to say that I also ran into a situation recently where it would have been nice to insert a model before db.py, and I wished it was possible. Would be nice to allow 0_plugin_name folders as well. This communication, including any attachments, does not necessarily represent official policy of Seccuris Inc. Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm for further details about Seccuris Inc.'s Privacy Policy. If you have received this communication in error, please notify Seccuris Inc. at i...@seccuris.com or at 1-866-644-8442.
RE: [web2py] convert python list to javascript array
Sounds like you're looking for response.json def test(): coords = ((1,2), (3,4), (5,6)) return response.json(coords=coords) Returns a javascript array formatted like: [[1, 2], [3, 4], [5, 6]] Or you can use response.json(dict(coords=coords)) to get a javascript object: {coords: [[1, 2], [3, 4], [5, 6]]} Note that you also don't have to immediately return the result of response.json, you can save it and output it in the view, inside a script tag, for example -Original Message- From: web2py@googlegroups.com [mailto:web...@googlegroups.com] On Behalf Of 1904 Sent: Thursday, December 02, 2010 9:12 AM To: web2py-users Subject: [web2py] convert python list to javascript array Hello, i m totally new to web2py and im trying to use it with google maps api and javascript to build a map. So I got some longtiudes and latidues from a MySQL database. The problem is that I cant convert the Python list [with the lat and lng values] from the database into a javascript array which is needed. I build the list with the values in a controller file and return it to the view file. Python list: coordinates((1,2) , (3,4) , (5,6)) I tried it on this way: while(j=len()) //len = length of coordinates { var coor[{{=x}}][0] = {{=coordinates[y][0]}}; var coor[{{=x}}][1] = {{=coordinates[y][1]}}; j++; } but it is not possible because Y doesnt raise... So the question is how can I use JS variables and/or Python variables together? Thanks for help This communication, including any attachments, does not necessarily represent official policy of Seccuris Inc. Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm for further details about Seccuris Inc.'s Privacy Policy. If you have received this communication in error, please notify Seccuris Inc. at i...@seccuris.com or at 1-866-644-8442.
RE: [web2py] Re: Possible BUG: Hidden fields in SQLFORM with custom render template
Works for me. -Original Message- From: web2py@googlegroups.com [mailto:web...@googlegroups.com] On Behalf Of mdipierro Sent: Thursday, November 25, 2010 10:01 PM To: web2py-users Subject: [web2py] Re: Possible BUG: Hidden fields in SQLFORM with custom render template I like this. I will give some thought to it and this should be probably be made the default web2py behavior. Any objection? On Nov 25, 4:49 pm, Josh Jaques jjaq...@seccuris.com wrote: Hey guys, I looked into this a little more. The problem seems to be that self.custom.begin and self.custom.end are computed as soon as the form is initialized, and the hidden fields get appended to self.custom.end only in the call to accepts. For this same reason, I was also having problems setting a class on a form with a custom template using code like the following: form = crud.read(db.table, id) form[_class] = some class The class is set after the form is created, and hence never shows up in self.custom.begin. I'm using a quick work around by defining the following simple classes: # lets you add attributes after initialization to forms rendered with custom templates class CustomFormBeginner(DIV): def __init__(self, form): self.form = form def xml(self): (begin, end) = self.form._xml() return %s %s % (self.form.tag, begin) # ensures the hidden_field() are present on every form, regardless if accepts has been called class CustomFormEnder(DIV): def __init__(self, form): self.form = form def xml(self): return %s/%s % (self.form.hidden_fields().xml(), self.form.tag) And then externally set the form.custom.begin and form.custom.end at creation time like so: form = crud.read(db.table, id) form[_class] = some class form.custom.begin = CustomFormBeginner(form) form.custom.end = CustomFormEnder(form) This seems to solve the problem, and doesn't seem to break anything in the testing I've done. Josh Jaques Intern From: web2py@googlegroups.com [mailto:web...@googlegroups.com] On Behalf Of Josh Jaques Sent: Tuesday, November 23, 2010 10:35 AM To: web2py@googlegroups.com Subject: [web2py] Possible BUG: Hidden fields in SQLFORM with custom render template Rendering SQLFORMs with a custom template, any hidden fields I create, as well as the hidden ID field are not displayed in the form until a call to accepts. I think this might be a bug because the same form rendered without a custom template will have the ID and hidden fields without calling accepts. I tested against latest release. Thoughts? Sample controller action: def index(): form = SQLFORM(db.images, db.images(1), hidden=dict(test_field=test_value)) accepted_form = SQLFORM(db.images, db.images(1), hidden=dict(test_field=test_value)) accepted_form.accepts(request.vars, formname=None) return dict(form=form, accepted_form=accepted_form) Sample view: !-- RENDER WITHOUT A TEMPLATE -- {{=form}} !-- RENDER WITH A TEMPLATE -- {{=form.custom.begin}} Image name: div{{=form.custom.widget.name}}/div Image file: div{{=form.custom.widget.file}}/div Click here to upload: {{=form.custom.submit}} {{=form.custom.end}} !-- RENDER WITH TEMPLATE AFTER ACCEPTS -- {{form=accepted_form}} {{=form.custom.begin}} Image name: div{{=form.custom.widget.name}}/div Image file: div{{=form.custom.widget.file}}/div Click here to upload: {{=form.custom.submit}} {{=form.custom.end}} Sample output: !-- RENDER WITHOUT A TEMPLATE -- form action= enctype=multipart/form-data method=posttabletr id=images_id__rowtd class=w2p_fllabel for=images_id id=images_id__labelId: /label/tdtd class=w2p_fwspan id=images_id1/span/tdtd class=w2p_fc/td/trtr id=images_name__rowtd class=w2p_fllabel for=images_name id=images_name__labelName: /label/tdtd class=w2p_fwinput class=string id=images_name name=name type=text value=a //tdtd class=w2p_fc/td/trtr id=images_file__rowtd class=w2p_fllabel for=images_file id=images_file__labelFile: /label/tdtd class=w2p_fwinput class=upload id=images_file name=file type=file //tdtd class=w2p_fc/td/trtr id=submit_record__rowtd class=w2p_fl/tdtd class=w2p_fwinput type=submit value=Submit //tdtd class=w2p_fc/td/tr/tablediv class=hiddeninput name=test_field type=hidden value=test_value /input name=id type=hidden value=1 //div/form !-- RENDER WITH A TEMPLATE -- form action= enctype=multipart/form-data method=post Image name: divinput class=string id=images_name name=name type=text value=a //div Image file: divinput class=upload id=images_file name=file type=file //div Click here to upload: input type=submit value=Submit / /form !-- RENDER WITH TEMPLATE AFTER ACCEPTS -- form action= enctype=multipart/form-data method=post Image name: divinput class=string id=images_name name=name type=text value= /div class=error id=name__errorenter from 10 to 255 characters/div/div
[web2py] RE: Possible BUG: Hidden fields in SQLFORM with custom render template
Hey guys, I looked into this a little more. The problem seems to be that self.custom.begin and self.custom.end are computed as soon as the form is initialized, and the hidden fields get appended to self.custom.end only in the call to accepts. For this same reason, I was also having problems setting a class on a form with a custom template using code like the following: form = crud.read(db.table, id) form[_class] = some class The class is set after the form is created, and hence never shows up in self.custom.begin. I'm using a quick work around by defining the following simple classes: # lets you add attributes after initialization to forms rendered with custom templates class CustomFormBeginner(DIV): def __init__(self, form): self.form = form def xml(self): (begin, end) = self.form._xml() return %s %s % (self.form.tag, begin) # ensures the hidden_field() are present on every form, regardless if accepts has been called class CustomFormEnder(DIV): def __init__(self, form): self.form = form def xml(self): return %s/%s % (self.form.hidden_fields().xml(), self.form.tag) And then externally set the form.custom.begin and form.custom.end at creation time like so: form = crud.read(db.table, id) form[_class] = some class form.custom.begin = CustomFormBeginner(form) form.custom.end = CustomFormEnder(form) This seems to solve the problem, and doesn't seem to break anything in the testing I've done. Josh Jaques Intern From: web2py@googlegroups.com [mailto:web...@googlegroups.com] On Behalf Of Josh Jaques Sent: Tuesday, November 23, 2010 10:35 AM To: web2py@googlegroups.com Subject: [web2py] Possible BUG: Hidden fields in SQLFORM with custom render template Rendering SQLFORMs with a custom template, any hidden fields I create, as well as the hidden ID field are not displayed in the form until a call to accepts. I think this might be a bug because the same form rendered without a custom template will have the ID and hidden fields without calling accepts. I tested against latest release. Thoughts? Sample controller action: def index(): form = SQLFORM(db.images, db.images(1), hidden=dict(test_field=test_value)) accepted_form = SQLFORM(db.images, db.images(1), hidden=dict(test_field=test_value)) accepted_form.accepts(request.vars, formname=None) return dict(form=form, accepted_form=accepted_form) Sample view: !-- RENDER WITHOUT A TEMPLATE -- {{=form}} !-- RENDER WITH A TEMPLATE -- {{=form.custom.begin}} Image name: div{{=form.custom.widget.name}}/div Image file: div{{=form.custom.widget.file}}/div Click here to upload: {{=form.custom.submit}} {{=form.custom.end}} !-- RENDER WITH TEMPLATE AFTER ACCEPTS -- {{form=accepted_form}} {{=form.custom.begin}} Image name: div{{=form.custom.widget.name}}/div Image file: div{{=form.custom.widget.file}}/div Click here to upload: {{=form.custom.submit}} {{=form.custom.end}} Sample output: !-- RENDER WITHOUT A TEMPLATE -- form action= enctype=multipart/form-data method=posttabletr id=images_id__rowtd class=w2p_fllabel for=images_id id=images_id__labelId: /label/tdtd class=w2p_fwspan id=images_id1/span/tdtd class=w2p_fc/td/trtr id=images_name__rowtd class=w2p_fllabel for=images_name id=images_name__labelName: /label/tdtd class=w2p_fwinput class=string id=images_name name=name type=text value=a //tdtd class=w2p_fc/td/trtr id=images_file__rowtd class=w2p_fllabel for=images_file id=images_file__labelFile: /label/tdtd class=w2p_fwinput class=upload id=images_file name=file type=file //tdtd class=w2p_fc/td/trtr id=submit_record__rowtd class=w2p_fl/tdtd class=w2p_fwinput type=submit value=Submit //tdtd class=w2p_fc/td/tr/tablediv class=hiddeninput name=test_field type=hidden value=test_value /input name=id type=hidden value=1 //div/form !-- RENDER WITH A TEMPLATE -- form action= enctype=multipart/form-data method=post Image name: divinput class=string id=images_name name=name type=text value=a //div Image file: divinput class=upload id=images_file name=file type=file //div Click here to upload: input type=submit value=Submit / /form !-- RENDER WITH TEMPLATE AFTER ACCEPTS -- form action= enctype=multipart/form-data method=post Image name: divinput class=string id=images_name name=name type=text value= /div class=error id=name__errorenter from 10 to 255 characters/div/div Image file: divinput class=upload id=images_file name=file type=file //div Click here to upload: input type=submit value=Submit / div class=hiddeninput name=test_field type=hidden value=test_value /input name=id type=hidden value=1 //div/form This communication, including any attachments, does not necessarily represent official policy of Seccuris Inc. Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm for further details about Seccuris Inc.'s Privacy Policy. If you have received this communication in error, please notify Seccuris Inc
[web2py] targeted web2py_ajax_init for dynamically inserted forms
If you load a form onto a web2py page via AJAX, it doesn't get the enhancements from web2py_ajax_init(). I've included a modified web2py_ajax_init that accepts an optional parent selector to provide some scope to web2py_ajax_init. In this way if you load a form onto a page, you can call web2py_ajax_init on that specific form to give it the enhancements, without effecting every other form on the page. I've included the modified function here as it may be useful to others in the future. An alternative approach may be to bind events using jQuery.live(), so that you don't have to explicitly call web2py_ajax_init() every time you load a form. function web2py_ajax_init(parent) { var find = function(selector) { if (parent) return $(parent).find(selector); else return jQuery(selector); } find('.hidden').hide(); find('.error').hide().slideDown('slow'); find('.flash').click(function() { find(this).fadeOut('slow'); return false; }); // find('input[type=submit]').click(function(){var t=find(this);t.hide();t.after('input class=submit_disabled disabled=disabled type=submit name='+t.attr(name)+'_dummy value='+t.val()+'')}); find('input.integer').keyup(function(){this.value=this.value.reverse().replace(/[^0-9\-]|\-(?=.)/g,'').reverse();}); find('input.double,input.decimal').keyup(function(){this.value=this.value.reverse().replace(/[^0-9\-\.]|[\-](?=.)|[\.](?=[0-9]*[\.])/g,'').reverse();}); find(input[type='checkbox'].delete).each(function(){find(this).click(function() { if(this.checked) if(!confirm({{=T('Sure you want to delete this object?')}})) this.checked=false; });}); try {find(input.date).focus(function() {Calendar.setup({ inputField:this.id, ifFormat:{{=T('%Y-%m-%d')}}, showsTime:false }); }); } catch(e) {}; try { find(input.datetime).focus( function() {Calendar.setup({ inputField:this.id, ifFormat:{{=T('%Y-%m-%d %H:%M:%S')}}, showsTime: true,timeFormat: 24 }); }); } catch(e) {}; try { find(input.time).timeEntry(); } catch(e) {}; }; --- This communication, including any attachments, does not necessarily represent official policy of Seccuris Inc. Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm for further details about Seccuris Inc.'s Privacy Policy. If you have received this communication in error, please notify Seccuris Inc. at i...@seccuris.com or at 1-866-644-8442.
RE: [web2py] Re: targeted web2py_ajax_init for dynamically inserted forms
Background on jQuery live: - The classic way to bind to an event is doing something like: jQuery(selector).click(function() { // do some stuff }); //Note this is just a wrapper to jQuery(...).bind(click, ...); The issue with that method is that it statically binds the event to whatever elements match your selector AT THE TIME YOU CALL .click(). So if new elements are dynamically added to the page using javascript, the event handler won't be attached to those new elements. jQuery also has the .live function, where events can be bound as follows: jQuery(selector).live(click, function() { // do some stuff } Using .live(), the click event is now dynamically attached to all elements that match selector, regardless of the time they are added to the page. The issue I was having: -- So in my example, since web2py initializes its form event handlers with .bind, when I load a new form onto the page via ajax then it doesn't have any of the event handlers attached to it. This means the date fields are all static, delete checkboxes have no confirmation, etc. What are thoughts on attaching the events using .live() instead. The only drawback to .live() I can think of is the increase in performance cost required to support dynamic events. If you want to make it the new default, I'll submit patch. -Original Message- From: web2py@googlegroups.com [mailto:web...@googlegroups.com] On Behalf Of mdipierro Sent: Wednesday, November 24, 2010 12:51 PM To: web2py-users Subject: [web2py] Re: targeted web2py_ajax_init for dynamically inserted forms tell us more about jquery live. What do you propose? On Nov 24, 11:44 am, Josh Jaques jjaq...@seccuris.com wrote: If you load a form onto a web2py page via AJAX, it doesn't get the enhancements from web2py_ajax_init(). I've included a modified web2py_ajax_init that accepts an optional parent selector to provide some scope to web2py_ajax_init. In this way if you load a form onto a page, you can call web2py_ajax_init on that specific form to give it the enhancements, without effecting every other form on the page. I've included the modified function here as it may be useful to others in the future. An alternative approach may be to bind events using jQuery.live(), so that you don't have to explicitly call web2py_ajax_init() every time you load a form. function web2py_ajax_ init(parent) { var find = function(selector) { if (parent) return $(parent).find(selector); else return jQuery(selector); } find('.hidden').hide(); find('.error').hide().slideDown('slow'); find('.flash').click(function() { find(this).fadeOut('slow'); return false; }); // find('input[type=submit]').click(function(){var t=find(this);t.hide();t.after('input class=submit_disabled disabled=disabled type=submit name='+t.attr(name)+'_dummy value='+t.val()+'')}); find('input.integer').keyup(function(){this.value=this.value.reverse().replace(/[^0-9\-]|\-(?=.)/g,'').reverse();}); find('input.double,input.decimal').keyup(function(){this.value=this.value.reverse().replace(/[^0-9\-\.]|[\-](?=.)|[\.](?=[0-9]*[\.])/g,'').reverse();}); find(input[type='checkbox'].delete).each(function(){find(this).click(function() { if(this.checked) if(!confirm({{=T('Sure you want to delete this object?')}})) this.checked=false; });}); try {find(input.date).focus(function() {Calendar.setup({ inputField:this.id, ifFormat:{{=T('%Y-%m-%d')}}, showsTime:false }); }); } catch(e) {}; try { find(input.datetime).focus( function() {Calendar.setup({ inputField:this.id, ifFormat:{{=T('%Y-%m-%d %H:%M:%S')}}, showsTime: true,timeFormat: 24 }); }); } catch(e) {}; try { find(input.time).timeEntry(); } catch(e) {};}; --- This communication, including any attachments, does not necessarily represent official policy of Seccuris Inc. Please seehttp://www.seccuris.com/Contact-PrivacyPolicy.htm for further details about Seccuris Inc.'s Privacy Policy. If you have received this communication in error, please notify Seccuris Inc. at i...@seccuris.com or at 1-866-644-8442. This communication, including any attachments, does not necessarily represent official policy of Seccuris Inc. Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm for further details about Seccuris Inc.'s Privacy Policy. If you have received this communication in error, please notify Seccuris Inc. at i...@seccuris.com or at 1-866-644-8442.
[web2py] Possible BUG: Hidden fields in SQLFORM with custom render template
Rendering SQLFORMs with a custom template, any hidden fields I create, as well as the hidden ID field are not displayed in the form until a call to accepts. I think this might be a bug because the same form rendered without a custom template will have the ID and hidden fields without calling accepts. I tested against latest release. Thoughts? Sample controller action: def index(): form = SQLFORM(db.images, db.images(1), hidden=dict(test_field=test_value)) accepted_form = SQLFORM(db.images, db.images(1), hidden=dict(test_field=test_value)) accepted_form.accepts(request.vars, formname=None) return dict(form=form, accepted_form=accepted_form) Sample view: !-- RENDER WITHOUT A TEMPLATE -- {{=form}} !-- RENDER WITH A TEMPLATE -- {{=form.custom.begin}} Image name: div{{=form.custom.widget.name}}/div Image file: div{{=form.custom.widget.file}}/div Click here to upload: {{=form.custom.submit}} {{=form.custom.end}} !-- RENDER WITH TEMPLATE AFTER ACCEPTS -- {{form=accepted_form}} {{=form.custom.begin}} Image name: div{{=form.custom.widget.name}}/div Image file: div{{=form.custom.widget.file}}/div Click here to upload: {{=form.custom.submit}} {{=form.custom.end}} Sample output: !-- RENDER WITHOUT A TEMPLATE -- form action= enctype=multipart/form-data method=posttabletr id=images_id__rowtd class=w2p_fllabel for=images_id id=images_id__labelId: /label/tdtd class=w2p_fwspan id=images_id1/span/tdtd class=w2p_fc/td/trtr id=images_name__rowtd class=w2p_fllabel for=images_name id=images_name__labelName: /label/tdtd class=w2p_fwinput class=string id=images_name name=name type=text value=a //tdtd class=w2p_fc/td/trtr id=images_file__rowtd class=w2p_fllabel for=images_file id=images_file__labelFile: /label/tdtd class=w2p_fwinput class=upload id=images_file name=file type=file //tdtd class=w2p_fc/td/trtr id=submit_record__rowtd class=w2p_fl/tdtd class=w2p_fwinput type=submit value=Submit //tdtd class=w2p_fc/td/tr/tablediv class=hiddeninput name=test_field type=hidden value=test_value /input name=id type=hidden value=1 //div/form !-- RENDER WITH A TEMPLATE -- form action= enctype=multipart/form-data method=post Image name: divinput class=string id=images_name name=name type=text value=a //div Image file: divinput class=upload id=images_file name=file type=file //div Click here to upload: input type=submit value=Submit / /form !-- RENDER WITH TEMPLATE AFTER ACCEPTS -- form action= enctype=multipart/form-data method=post Image name: divinput class=string id=images_name name=name type=text value= /div class=error id=name__errorenter from 10 to 255 characters/div/div Image file: divinput class=upload id=images_file name=file type=file //div Click here to upload: input type=submit value=Submit / div class=hiddeninput name=test_field type=hidden value=test_value /input name=id type=hidden value=1 //div/form This communication, including any attachments, does not necessarily represent official policy of Seccuris Inc. Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm for further details about Seccuris Inc.'s Privacy Policy. If you have received this communication in error, please notify Seccuris Inc. at i...@seccuris.com or at 1-866-644-8442.
[web2py] SQLDB does not allow manual selection of 'sslmode' for PostgreSQL database connections
When using SQLDB to open a connection to a PostgreSQL database, there is currently no way to select the SSL Mode of the connection. Attached is a patch file which allows the sslmode to be optionally selected for non-jdbc Postgres connections via the following URL style: postgres://user:passw...@host:port/database?sslmode=require. The related PostgreSQL documentation page is located here: http://www.postgresql.org/docs/8.4/static/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS. In the documentation you will see that the default value for sslmode is prefer. If the sslmode is not specified, the patch will default to prefer. In this way I believe the patch is backward compatible. Regards, Josh Jaques This communication, including any attachments, does not necessarily represent official policy of Seccuris Inc. Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm for further details about Seccuris Inc.'s Privacy Policy. If you have received this communication in error, please notify Seccuris Inc. at i...@seccuris.com or at 1-866-644-8442. sql.py.POSTGRES_SSL.patch Description: sql.py.POSTGRES_SSL.patch