Re: /admin Cross-Site Scripting (XSS) issue!
On Wed, May 7, 2008 at 3:41 PM, James Bennett <[EMAIL PROTECTED]> wrote: > > On Wed, May 7, 2008 at 2:32 PM, Jan Rademaker <[EMAIL PROTECTED]> > wrote: > > > > It does work, make sure you're not logged in. > > > > $ lynx -source -dump > http://localhost:8000/admin/%22%3E%3Cscript%3Ealert%283939%29%3C/script%3E/ > > | grep alert > > alert(3939)/" method="post" > > id="login-form"> > > OK, so what's happening is that the admin is assuming that if you're > not logged in, the current URL should be used as the URL to submit > login information to. Which means it drops the request path into the > form's "action" attribute and, since there are valid things for URLs > that'd be incorrectly escaped if we let the autoescaper get at them, > it's marked "safe" and so can contain HTML. > > Since there is a genuine XSS threat here, it needs to be fixed in the > current admin and not simply punted to nfa. Optimal solution is to > just point the thing at a genuinely consistent login URL and redirect > back to where they were trying to go once the user's authenticated > (preferably keeping the URL firmly in the address bar the whole time, > like we already do with the "next" param for logging in everywhere > else). > Trying this on newforms-admin (circa r7500) does not produce an alert box. In fact the form action is escaped: But from the first paragraph above it sounds like that's not the correct behavior either? Just trying to understand if newforms-admin has a different problem Karen --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~--~~~~--~~--~--~---
Re: Subversion Access
Rahein: Please also note that you are supposed to adjust your path so svn is runnable from anywhere, not run svn in its bin subdirectory. Google for "set path" followed by your operating system name if you don't know how to do this. regards Steve Dan Watson wrote: > Questions like this should be directed to the django-users mailing > list. > > That said, this is probably caused by your proxy server not > understanding how to handle subversion's requests. See > http://subversion.tigris.org/faq.html#proxy or search the mailing > lists - this has come up before. > > On May 7, 5:00 pm, Rahein <[EMAIL PROTECTED]> wrote: >> I am trying to get the Django Trunk downloaded and this is my first >> excursion into using Subversion. >> >> I followed the directions in the installing guide, but when I run the >> command in subversion's bin folder: >> >> svn cohttp://code.djangoproject.com/svn/django/trunk/django-trunk >> >> I get these error message: >> >> svn: REPORT request failed on '/svn/!svn/vcc/default' >> svn: REPORT of '/svn/!svn/vcc/default': 400 Bad Request (http:// >> code.djangoproject.com) >> -- Steve Holden+1 571 484 6266 +1 800 494 3119 Holden Web LLC http://www.holdenweb.com/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~--~~~~--~~--~--~---
Re: Subversion Access
Questions like this should be directed to the django-users mailing list. That said, this is probably caused by your proxy server not understanding how to handle subversion's requests. See http://subversion.tigris.org/faq.html#proxy or search the mailing lists - this has come up before. On May 7, 5:00 pm, Rahein <[EMAIL PROTECTED]> wrote: > I am trying to get the Django Trunk downloaded and this is my first > excursion into using Subversion. > > I followed the directions in the installing guide, but when I run the > command in subversion's bin folder: > > svn cohttp://code.djangoproject.com/svn/django/trunk/django-trunk > > I get these error message: > > svn: REPORT request failed on '/svn/!svn/vcc/default' > svn: REPORT of '/svn/!svn/vcc/default': 400 Bad Request (http:// > code.djangoproject.com) > > Thanks for your help again. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~--~~~~--~~--~--~---
Subversion Access
I am trying to get the Django Trunk downloaded and this is my first excursion into using Subversion. I followed the directions in the installing guide, but when I run the command in subversion's bin folder: svn co http://code.djangoproject.com/svn/django/trunk/ django-trunk I get these error message: svn: REPORT request failed on '/svn/!svn/vcc/default' svn: REPORT of '/svn/!svn/vcc/default': 400 Bad Request (http:// code.djangoproject.com) Thanks for your help again. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~--~~~~--~~--~--~---
Re: /admin Cross-Site Scripting (XSS) issue!
On Wed, May 7, 2008 at 2:32 PM, Jan Rademaker <[EMAIL PROTECTED]> wrote: > > It does work, make sure you're not logged in. > > $ lynx -source -dump > http://localhost:8000/admin/%22%3E%3Cscript%3Ealert%283939%29%3C/script%3E/ > | grep alert > alert(3939)/" method="post" > id="login-form"> OK, so what's happening is that the admin is assuming that if you're not logged in, the current URL should be used as the URL to submit login information to. Which means it drops the request path into the form's "action" attribute and, since there are valid things for URLs that'd be incorrectly escaped if we let the autoescaper get at them, it's marked "safe" and so can contain HTML. Since there is a genuine XSS threat here, it needs to be fixed in the current admin and not simply punted to nfa. Optimal solution is to just point the thing at a genuinely consistent login URL and redirect back to where they were trying to go once the user's authenticated (preferably keeping the URL firmly in the address bar the whole time, like we already do with the "next" param for logging in everywhere else). -- "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~--~~~~--~~--~--~---
Re: Dev attitude towards Windows and IIS
Rejeeve & Waylan: Thanks for the pointers. I will check them out. On May 7, 1:26 pm, "Waylan Limberg" <[EMAIL PROTECTED]> wrote: > Another alternative is Django on IronPython. I'm not involved > personally, but my understanding is that it currently works (at least > to some extent) and there is an effort underway to iron (sorry > couldn't resist) out the bugs. I could be wrong, but as IronPython is > basically python on .NET, I would think it works fine with IIS. You > may want to look into that. > > On Wed, May 7, 2008 at 1:10 PM, Rajeev J Sebastian > > > > <[EMAIL PROTECTED]> wrote: > > > On Wed, May 7, 2008 at 10:23 PM, rcs_comp <[EMAIL PROTECTED]> wrote: > > > Just remember that there are people out there like me who see a lot of > > > potential for Django but are confined to using IIS and MSSQL. Don't > > > be skeptical of us, use our interest in Django to make the framework > > > that more robust and attractive to a larger number of users. > > > I dont run Windows or IIS, so I can't be sure ... but you can try > > running django in IIS via fastcgi: > > > http://www.caraveo.com/fastcgi/ > > > Also, Apache and nginx run on Windows platform. So those could be > > avenues you should explore (considering windows in general, maybe you > > should think again about IIS support expecially given the good > > alternatives). > > -- > > Waylan Limberg > [EMAIL PROTECTED] --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~--~~~~--~~--~--~---
Re: Dev attitude towards Windows and IIS
First, maybe an apology is in order? I am sorry that if my post came off harsh or chastising, my intent was to encourage. "I think the comment is not harsh but very honest about the current state of affairs, and this kind of candor is essential." Agreed that candor is essential. How come the candor in my original post then is so unwelcome? I wasn't trying to chastise, but encourage. I want Django to get better b/c I have been really impressed with it so far. Jeremy, The reason I pulled the quote "out of context" is because I wasn't concerned with the rest of the post. The phrase that bothered me was "good deal of skepticism" and it doesn't seem to me that the phrase was aimed at the user or his behavior but at running Django on IIS. Its one thing to say, "we just don't have the resources available to support Windows testing and development at this time but would welcome someone else to contribute in this area." Its a completely different thing to say, "understand that IIS is far from Django's preferred deployment environment and thus is likely to be met with a good deal of skepticism." So, maybe you can help me understand why there is a good deal of skepticism? Lets try not to let this post degenerate into personal animosity. I am *very thankful* for the time and effort that has gone into Django by the devs. My concern is to make Django better. FWIW, this post is an attempt to contribute. I have just started learning Python and Django in the last 24 hours. If this was a PHP project, I would be happy to jump in. As it is, my contributions are currently limited. With the best of intentions, Randy --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~--~~~~--~~--~--~---
Re: Dev attitude towards Windows and IIS
Another alternative is Django on IronPython. I'm not involved personally, but my understanding is that it currently works (at least to some extent) and there is an effort underway to iron (sorry couldn't resist) out the bugs. I could be wrong, but as IronPython is basically python on .NET, I would think it works fine with IIS. You may want to look into that. On Wed, May 7, 2008 at 1:10 PM, Rajeev J Sebastian <[EMAIL PROTECTED]> wrote: > > On Wed, May 7, 2008 at 10:23 PM, rcs_comp <[EMAIL PROTECTED]> wrote: > > Just remember that there are people out there like me who see a lot of > > potential for Django but are confined to using IIS and MSSQL. Don't > > be skeptical of us, use our interest in Django to make the framework > > that more robust and attractive to a larger number of users. > > I dont run Windows or IIS, so I can't be sure ... but you can try > running django in IIS via fastcgi: > > http://www.caraveo.com/fastcgi/ > > > Also, Apache and nginx run on Windows platform. So those could be > avenues you should explore (considering windows in general, maybe you > should think again about IIS support expecially given the good > alternatives). > -- Waylan Limberg [EMAIL PROTECTED] --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~--~~~~--~~--~--~---
Re: Dev attitude towards Windows and IIS
On Wed, May 7, 2008 at 10:23 PM, rcs_comp <[EMAIL PROTECTED]> wrote: > Just remember that there are people out there like me who see a lot of > potential for Django but are confined to using IIS and MSSQL. Don't > be skeptical of us, use our interest in Django to make the framework > that more robust and attractive to a larger number of users. I dont run Windows or IIS, so I can't be sure ... but you can try running django in IIS via fastcgi: http://www.caraveo.com/fastcgi/ Also, Apache and nginx run on Windows platform. So those could be avenues you should explore (considering windows in general, maybe you should think again about IIS support expecially given the good alternatives). Regards Rajeev J Sebastian > Thanks. > > Randy > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~--~~~~--~~--~--~---
Re: Dev attitude towards Windows and IIS
On Wed, May 7, 2008 at 11:53 AM, rcs_comp <[EMAIL PROTECTED]> wrote: ... > Maybe I am reading too much into the comment, but I would like to > encourage you to steer clear of the attitude behind this statement. And I'd encourage you to quote in context-- a user had repeatedly marked the ticket "ready for checkin" when it wasn't, and was being encouraged to bring the issue to the dev list for additional resources-- just as you have done here. The full quote: ' pjs, please stop marking this ready for checkin; that's a distinction only a developer or triager is supposed to make. You'll succeed in getting attention, but only the bad kind. Running Django under IIS simply isn't something most core devs can do, and without review this can't go in. Your best bet to pus things along is to point to this ticket on django-dev and ask if anyone can review it. Please be patient and understand that IIS is far from Django's preferred deployment environment and thus is likely to be met with a good deal of skepticism. ' > Do > you really want to alienate and be skeptical of *a lot* of potential > users out there that might want to use Django just because you have a > preference for a different platform? Why not ask someone to donate a > Windows hosting environment so the devs have access to it and can test > Django on IIS? Indeed. I have previously expressed interest in supporting SQL Server, and indeed there are many people who could benefit from it. Unfortunately, no one stepped up to support adodbapi, so it was removed. Oracle support was only allowed into the tree after a group committed to supporting it-- which they have done and done well. I bet support for IIS and SQL Server would be welcomed if the people who benefit from it would also commit to supporting it. > Don't > be skeptical of us, use our interest in Django to make the framework > that more robust and attractive to a larger number of users. Contributors have limited resources and time, and open source is a benefit when common goals result in receiving more than you give-- but being motivated to give nonetheless. That said, Django is not a popularity contest-- it is a web development framework which so far has suffered from a distinct lack of *contributions* from Windows-land. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~--~~~~--~~--~--~---
Re: Dev attitude towards Windows and IIS
I think it is perfectly reasonable to decide what platforms you are interested in working with when you are contributing your efforts to free software. Perhaps if you think Django should work better on IIS you could work on it yourself or pay someone else to work on that, rather than chastising the people who donated so much effort already. I'm sure your contributions would be welcomed much more than your criticisms. I think the comment is not harsh but very honest about the current state of affairs, and this kind of candor is essential. On Wed, May 7, 2008 at 12:53 PM, rcs_comp <[EMAIL PROTECTED]> wrote: > > I came across this ticket: > > http://code.djangoproject.com/ticket/2039 > > and was somewhat disappointed by one of the comments I read. I wrote > this response, but then realized it should probably come here rather > than go in the ticket system. > > > > Replying to [comment:18 jacob]: > > Please be patient and understand that IIS is far from Django's preferred > deployment > > environment and thus is likely to be met with a good deal of skepticism. > > Django Devs, > > Maybe I am reading too much into the comment, but I would like to > encourage you to steer clear of the attitude behind this statement. I > would love to be able to pick and choose my development environment, > but I have to work and my current customers use Windows machines > exclusively. Rather than viewing Django on IIS as skeptical, how > about doing as much as you can to diversify where Django can run? Do > you really want to alienate and be skeptical of *a lot* of potential > users out there that might want to use Django just because you have a > preference for a different platform? Why not ask someone to donate a > Windows hosting environment so the devs have access to it and can test > Django on IIS? > > Just remember that there are people out there like me who see a lot of > potential for Django but are confined to using IIS and MSSQL. Don't > be skeptical of us, use our interest in Django to make the framework > that more robust and attractive to a larger number of users. > > Thanks. > > Randy > > > -- Elliot Murphy --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~--~~~~--~~--~--~---
Dev attitude towards Windows and IIS
I came across this ticket: http://code.djangoproject.com/ticket/2039 and was somewhat disappointed by one of the comments I read. I wrote this response, but then realized it should probably come here rather than go in the ticket system. Replying to [comment:18 jacob]: > Please be patient and understand that IIS is far from Django's preferred > deployment > environment and thus is likely to be met with a good deal of skepticism. Django Devs, Maybe I am reading too much into the comment, but I would like to encourage you to steer clear of the attitude behind this statement. I would love to be able to pick and choose my development environment, but I have to work and my current customers use Windows machines exclusively. Rather than viewing Django on IIS as skeptical, how about doing as much as you can to diversify where Django can run? Do you really want to alienate and be skeptical of *a lot* of potential users out there that might want to use Django just because you have a preference for a different platform? Why not ask someone to donate a Windows hosting environment so the devs have access to it and can test Django on IIS? Just remember that there are people out there like me who see a lot of potential for Django but are confined to using IIS and MSSQL. Don't be skeptical of us, use our interest in Django to make the framework that more robust and attractive to a larger number of users. Thanks. Randy --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~--~~~~--~~--~--~---
Re: Newbe questions (firebird)
I am trying to download the trunk from SVN and am getting this message Error: MKACTIVITY of '/svn/!svn/act/b31d46c1-39f8-164f- a712-4e3a3dd6a803': 400 Bad Request (http://code.djangoproject.com) On May 5, 6:19 pm, Ivan Illarionov <[EMAIL PROTECTED]> wrote: > Hi, Rahein, > > The Firebird patch and backend is against latest Django trunk and > depends on the newest Django features, especially new QuerySet/Query > classes. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~--~~~~--~~--~--~---