Re: Just going to point this out ...

2011-02-19 Thread dave b 
It would be interesting to perhaps extend something like django-lint
to pick up on what could be mistakes in templates.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Just going to point this out ...

2011-02-18 Thread dave b 
>
> is this what you're looking for?
>
> http://www.owasp.org/index.php/OWASP_Application_Security_FAQ
>
> Mike

Hi Mike. Well in this case the page would be
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
 but yes that link is a good starting point.

I should clarify why I emailed this list --> I emailed this list
instead of filing a bug because I thought this was a bit stupid to
file a bug for. I wanted to see what other 'users' thought about it.
The general opinion thus far has been that people _should_ know about
these problems which is a nice assumption but imho not always true
(and in a fair amount of applications no one will care if an xss is
possible).

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Just going to point this out ...

2011-02-18 Thread Mike Ramirez 
On Friday, February 18, 2011 06:07:57 am dave b wrote:
>  On 19 February 2011 00:57, Shawn Milochik  wrote:
> > I also didn't see the part where they state that you shouldn't put your
> > database login information in a template. That's probably because Django
> > is designed to allow Web developers to do their jobs more easily, not
> > allow people who don't know what they're doing make Web applications. If
> > you're going to do something really stupid then blame Django in some
> > way, then you're probably not competent at the job.
> 
> Um. While it might be obvious to us it might not be so obvious to others.
> So this comment,
> " If you're going to do something really stupid then blame Django in
> some way, then  you're probably not competent at the job" shows a lack
> of thought  for other users given the way the django documentation
> found at [0] is presented.
> 
> [0] -
> http://docs.djangoproject.com/en/dev/topics/templates/#automatic-html-esca
> ping


is this what you're looking for?

http://www.owasp.org/index.php/OWASP_Application_Security_FAQ

Mike
-- 
"And what will you do when you grow up to be as big as me?"
asked the father of his little son.
"Diet."

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Just going to point this out ...

2011-02-18 Thread dave b 
> Which of course it can't - it is properly escaped.
>
> Cheers
>
> Tom
>

Yes.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Just going to point this out ...

2011-02-18 Thread Tom Evans 
On Fri, Feb 18, 2011 at 1:52 PM, dave b  wrote:
> Hi I cannot see where in the django documentation it states that you
> shouldn't do something like this:
>   ** (as an example of a potential
> attribute injection vector[0] - where you are not using a URLField or
> failure to call full_clean (on a URLField) ).
> That is I cannot see where django states that 'oh by the way our
> autoescape isn't safe in a few cases' and 'you should watch out for
> attribute injection!'.
>
> So did I miss it?
>
> [0] - the user-controlled link could be javascript:alert(1)
>
>
>

Aha, I thought this was more interesting than it was. Obviously, if
you stick user generated input into a HTML attribute, then the value
of that HTML attribute is controlled by the user (and that should be
obvious enough that it shouldn't need to be mentioned..)

I thought you were inferring that something like this could be dangerous:
ctxt=Context({'user_input': '" onclick="alert(\'pwned\')'})
tmpl=Template('foo')
tmpl.render(ctxt)

Which of course it can't - it is properly escaped.

Cheers

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Just going to point this out ...

2011-02-18 Thread dave b 
On 19 February 2011 01:36, Masklinn  wrote:
> On 2011-02-18, at 15:31 , dave b wrote:
>> On 19 February 2011 01:29, Shawn Milochik  wrote:
>>> By the way -- I realized what happened. You CC'd me on the e-mail to the 
>>> list. So when I replied it went directly to you.
>>
>> Ah sorry about the mix up then!
>> Yeah :P
>>
>> My view on this is that documentation can always be improved !
> Sure, but the way to do it is usually to open a bug on the tracker and 
> provide a documentation patch (or alternatively find a way to fix the issue 
> itself, but as far as I can tell if you're putting unchecked unvalidated data 
> in your links there isn't much that can be done to help you).

Um, no I am not. I was using href with javascript as an example.

Example for Cal:

views.py
from django.shortcuts import render_to_response

def show_lol(response):
   return render_to_response("lol.html", {"lol" :
"javascript:alert(document.cookie)"} )

lol.html


   

OKOKOKOK
   



Yes this is very contrived.
If you used a URLField and the validator runs - this will not be saved
in the first place. Please do keep in mind that this is just a dumb
example of attribute abuse.
(./sleep &) Sorry I am very tired atm - it isn't attribute injection -
just abuse.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Just going to point this out ...

2011-02-18 Thread Masklinn 
On 2011-02-18, at 15:31 , dave b wrote:
> On 19 February 2011 01:29, Shawn Milochik  wrote:
>> By the way -- I realized what happened. You CC'd me on the e-mail to the 
>> list. So when I replied it went directly to you.
> 
> Ah sorry about the mix up then!
> Yeah :P
> 
> My view on this is that documentation can always be improved !
Sure, but the way to do it is usually to open a bug on the tracker and provide 
a documentation patch (or alternatively find a way to fix the issue itself, but 
as far as I can tell if you're putting unchecked unvalidated data in your links 
there isn't much that can be done to help you).

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Just going to point this out ...

2011-02-18 Thread Cal Leeming [Simplicity Media Ltd] 
Dave, may I ask you to provide some proof of concept code in regards to
this? It'll also make life a lot easier for you when submitting a bug report
to the django devs.

On Fri, Feb 18, 2011 at 2:22 PM, dave b  wrote:

> On 19 February 2011 01:19, Shawn Milochik  wrote:
> > Don't take my comment as a personal attack. I was just pointing out that
> injection attacks are one of those things we're all responsible for being
> aware of and not opening ourselves up to.
> >
> > To the extent that Django protects us from such things, it's generally to
> ensure that the boilerplate Django saves us from writing (by baking it in)
> is safe.
> >
> > My point is that using Django doesnt relieve us of the responsibility of
> knowing what we're doing.
> >
> > Shawn
>
> Oh how nice you sent this to me off the list?
>
> Ok great. How about you get off your damn high horse and settle with
> us mortals ?
>
> Wait a second when I read your email it sounds like you accept the
> fact that people "should know what they are doing" ... but you didn't
> answer my question or _suggest_ that some minor note be added to the
> template documentation.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to
> django-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-users?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Just going to point this out ...

2011-02-18 Thread dave b 
On 19 February 2011 01:29, Shawn Milochik  wrote:
> By the way -- I realized what happened. You CC'd me on the e-mail to the 
> list. So when I replied it went directly to you.

Ah sorry about the mix up then!
Yeah :P

My view on this is that documentation can always be improved !

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Just going to point this out ...

2011-02-18 Thread dave b 
On 19 February 2011 01:19, Shawn Milochik  wrote:
> Don't take my comment as a personal attack. I was just pointing out that 
> injection attacks are one of those things we're all responsible for being 
> aware of and not opening ourselves up to.
>
> To the extent that Django protects us from such things, it's generally to 
> ensure that the boilerplate Django saves us from writing (by baking it in) is 
> safe.
>
> My point is that using Django doesnt relieve us of the responsibility of 
> knowing what we're doing.
>
> Shawn

Oh how nice you sent this to me off the list?

Ok great. How about you get off your damn high horse and settle with
us mortals ?

Wait a second when I read your email it sounds like you accept the
fact that people "should know what they are doing" ... but you didn't
answer my question or _suggest_ that some minor note be added to the
template documentation.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Just going to point this out ...

2011-02-18 Thread dave b 
 On 19 February 2011 00:57, Shawn Milochik  wrote:
> I also didn't see the part where they state that you shouldn't put your
> database login information in a template. That's probably because Django is
> designed to allow Web developers to do their jobs more easily, not allow
> people who don't know what they're doing make Web applications. If you're
> going to do something really stupid then blame Django in some way, then
> you're probably not competent at the job.

Um. While it might be obvious to us it might not be so obvious to others.
So this comment,
" If you're going to do something really stupid then blame Django in
some way, then  you're probably not competent at the job" shows a lack
of thought  for other users given the way the django documentation
found at [0] is presented.

[0] - 
http://docs.djangoproject.com/en/dev/topics/templates/#automatic-html-escaping

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: Just going to point this out ...

2011-02-18 Thread Shawn Milochik 
I also didn't see the part where they state that you shouldn't put your 
database login information in a template. That's probably because Django 
is designed to allow Web developers to do their jobs more easily, not 
allow people who don't know what they're doing make Web applications. If 
you're going to do something really stupid then blame Django in some 
way, then you're probably not competent at the job.





--
You received this message because you are subscribed to the Google Groups "Django 
users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Just going to point this out ...

2011-02-18 Thread dave b 
Hi I cannot see where in the django documentation it states that you
shouldn't do something like this:
  ** (as an example of a potential
attribute injection vector[0] - where you are not using a URLField or
failure to call full_clean (on a URLField) ).
That is I cannot see where django states that 'oh by the way our
autoescape isn't safe in a few cases' and 'you should watch out for
attribute injection!'.

So did I miss it?

[0] - the user-controlled link could be javascript:alert(1)



--
The fashion wears out more apparel than the man.-- William
Shakespeare, "Much Ado About Nothing"

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.