@expose(format='json') @identity.require(identity.not_anonymous()) def get_private_data(self, *args, **kw):
Why don't you just do that ? The user has to be logged to access that method. The non logged request will recive a 403 http error. -fred- On Apr 3, 2007, at 4:07 AM, Paul Johnston wrote: > Hi, > > The advisory is relevant to TurboGears, which returns JSON data. If > you have a JSON method that returns confidential data to a logged > on user, a malicious website could harvest this. It is not FUD - at > least one site I've developed was vulnerable. You could harvest the > company's internal contact list. > > A quick fix at the TG level would be to have JSON controllers only > return JSON for POST requests. > > Paul > > > > On 4/3/07, Bob Ippolito < [EMAIL PROTECTED]> wrote: > > Not really. That exploit only applies to people returning arrays from > server-side stuff and has absolutely no implications whatsoever for > client-side toolkits such as MochiKit. It's mostly FUD. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
