Re: Just going to point this out ...
It would be interesting to perhaps extend something like django-lint to pick up on what could be mistakes in templates. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Just going to point this out ...
> > is this what you're looking for? > > http://www.owasp.org/index.php/OWASP_Application_Security_FAQ > > Mike Hi Mike. Well in this case the page would be http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet but yes that link is a good starting point. I should clarify why I emailed this list --> I emailed this list instead of filing a bug because I thought this was a bit stupid to file a bug for. I wanted to see what other 'users' thought about it. The general opinion thus far has been that people _should_ know about these problems which is a nice assumption but imho not always true (and in a fair amount of applications no one will care if an xss is possible). -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Just going to point this out ...
On Friday, February 18, 2011 06:07:57 am dave b wrote: > On 19 February 2011 00:57, Shawn Milochikwrote: > > I also didn't see the part where they state that you shouldn't put your > > database login information in a template. That's probably because Django > > is designed to allow Web developers to do their jobs more easily, not > > allow people who don't know what they're doing make Web applications. If > > you're going to do something really stupid then blame Django in some > > way, then you're probably not competent at the job. > > Um. While it might be obvious to us it might not be so obvious to others. > So this comment, > " If you're going to do something really stupid then blame Django in > some way, then you're probably not competent at the job" shows a lack > of thought for other users given the way the django documentation > found at [0] is presented. > > [0] - > http://docs.djangoproject.com/en/dev/topics/templates/#automatic-html-esca > ping is this what you're looking for? http://www.owasp.org/index.php/OWASP_Application_Security_FAQ Mike -- "And what will you do when you grow up to be as big as me?" asked the father of his little son. "Diet." -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Just going to point this out ...
> Which of course it can't - it is properly escaped. > > Cheers > > Tom > Yes. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Just going to point this out ...
On Fri, Feb 18, 2011 at 1:52 PM, dave bwrote: > Hi I cannot see where in the django documentation it states that you > shouldn't do something like this: > ** (as an example of a potential > attribute injection vector[0] - where you are not using a URLField or > failure to call full_clean (on a URLField) ). > That is I cannot see where django states that 'oh by the way our > autoescape isn't safe in a few cases' and 'you should watch out for > attribute injection!'. > > So did I miss it? > > [0] - the user-controlled link could be javascript:alert(1) > > > Aha, I thought this was more interesting than it was. Obviously, if you stick user generated input into a HTML attribute, then the value of that HTML attribute is controlled by the user (and that should be obvious enough that it shouldn't need to be mentioned..) I thought you were inferring that something like this could be dangerous: ctxt=Context({'user_input': '" onclick="alert(\'pwned\')'}) tmpl=Template('foo') tmpl.render(ctxt) Which of course it can't - it is properly escaped. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Just going to point this out ...
On 19 February 2011 01:36, Masklinnwrote: > On 2011-02-18, at 15:31 , dave b wrote: >> On 19 February 2011 01:29, Shawn Milochik wrote: >>> By the way -- I realized what happened. You CC'd me on the e-mail to the >>> list. So when I replied it went directly to you. >> >> Ah sorry about the mix up then! >> Yeah :P >> >> My view on this is that documentation can always be improved ! > Sure, but the way to do it is usually to open a bug on the tracker and > provide a documentation patch (or alternatively find a way to fix the issue > itself, but as far as I can tell if you're putting unchecked unvalidated data > in your links there isn't much that can be done to help you). Um, no I am not. I was using href with javascript as an example. Example for Cal: views.py from django.shortcuts import render_to_response def show_lol(response): return render_to_response("lol.html", {"lol" : "javascript:alert(document.cookie)"} ) lol.html OKOKOKOK Yes this is very contrived. If you used a URLField and the validator runs - this will not be saved in the first place. Please do keep in mind that this is just a dumb example of attribute abuse. (./sleep &) Sorry I am very tired atm - it isn't attribute injection - just abuse. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Just going to point this out ...
On 2011-02-18, at 15:31 , dave b wrote: > On 19 February 2011 01:29, Shawn Milochikwrote: >> By the way -- I realized what happened. You CC'd me on the e-mail to the >> list. So when I replied it went directly to you. > > Ah sorry about the mix up then! > Yeah :P > > My view on this is that documentation can always be improved ! Sure, but the way to do it is usually to open a bug on the tracker and provide a documentation patch (or alternatively find a way to fix the issue itself, but as far as I can tell if you're putting unchecked unvalidated data in your links there isn't much that can be done to help you). -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Just going to point this out ...
Dave, may I ask you to provide some proof of concept code in regards to this? It'll also make life a lot easier for you when submitting a bug report to the django devs. On Fri, Feb 18, 2011 at 2:22 PM, dave bwrote: > On 19 February 2011 01:19, Shawn Milochik wrote: > > Don't take my comment as a personal attack. I was just pointing out that > injection attacks are one of those things we're all responsible for being > aware of and not opening ourselves up to. > > > > To the extent that Django protects us from such things, it's generally to > ensure that the boilerplate Django saves us from writing (by baking it in) > is safe. > > > > My point is that using Django doesnt relieve us of the responsibility of > knowing what we're doing. > > > > Shawn > > Oh how nice you sent this to me off the list? > > Ok great. How about you get off your damn high horse and settle with > us mortals ? > > Wait a second when I read your email it sounds like you accept the > fact that people "should know what they are doing" ... but you didn't > answer my question or _suggest_ that some minor note be added to the > template documentation. > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-users@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Just going to point this out ...
On 19 February 2011 01:29, Shawn Milochikwrote: > By the way -- I realized what happened. You CC'd me on the e-mail to the > list. So when I replied it went directly to you. Ah sorry about the mix up then! Yeah :P My view on this is that documentation can always be improved ! -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Just going to point this out ...
On 19 February 2011 01:19, Shawn Milochikwrote: > Don't take my comment as a personal attack. I was just pointing out that > injection attacks are one of those things we're all responsible for being > aware of and not opening ourselves up to. > > To the extent that Django protects us from such things, it's generally to > ensure that the boilerplate Django saves us from writing (by baking it in) is > safe. > > My point is that using Django doesnt relieve us of the responsibility of > knowing what we're doing. > > Shawn Oh how nice you sent this to me off the list? Ok great. How about you get off your damn high horse and settle with us mortals ? Wait a second when I read your email it sounds like you accept the fact that people "should know what they are doing" ... but you didn't answer my question or _suggest_ that some minor note be added to the template documentation. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Just going to point this out ...
On 19 February 2011 00:57, Shawn Milochikwrote: > I also didn't see the part where they state that you shouldn't put your > database login information in a template. That's probably because Django is > designed to allow Web developers to do their jobs more easily, not allow > people who don't know what they're doing make Web applications. If you're > going to do something really stupid then blame Django in some way, then > you're probably not competent at the job. Um. While it might be obvious to us it might not be so obvious to others. So this comment, " If you're going to do something really stupid then blame Django in some way, then you're probably not competent at the job" shows a lack of thought for other users given the way the django documentation found at [0] is presented. [0] - http://docs.djangoproject.com/en/dev/topics/templates/#automatic-html-escaping -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: Just going to point this out ...
I also didn't see the part where they state that you shouldn't put your database login information in a template. That's probably because Django is designed to allow Web developers to do their jobs more easily, not allow people who don't know what they're doing make Web applications. If you're going to do something really stupid then blame Django in some way, then you're probably not competent at the job. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Just going to point this out ...
Hi I cannot see where in the django documentation it states that you shouldn't do something like this: ** (as an example of a potential attribute injection vector[0] - where you are not using a URLField or failure to call full_clean (on a URLField) ). That is I cannot see where django states that 'oh by the way our autoescape isn't safe in a few cases' and 'you should watch out for attribute injection!'. So did I miss it? [0] - the user-controlled link could be javascript:alert(1) -- The fashion wears out more apparel than the man.-- William Shakespeare, "Much Ado About Nothing" -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.