we found two vulnerabilities that have been fixed in the latest
release of web2py (1.96.1) and plugin_wiki (which requires web2py
1.96.1)
## Vulnerability 1
Consider this action
def index():
a = 1
b = 2
return locals()
and the view
{{=a}}
You clearly intended to expose only a, not b. But if you call the
action with .json, both a and b will be serialized by the generic.json
view.
### the fix
generic view are now disabled by default. You can enable them from
localhost with:
response.generic_patterns = ['*'] if request.is_local else []
where '*' is a patter to be matched against the controller/
action.extension that you want to expose using generic views.
### comments
Although we decided to classify this as a vulnerability, this actually
was the intended behavior. Data returned by the view was to be
considered readable to the user. We had a debate on web2py_developers
whether this needed a fix. Turns out most people (including me) forgot
about generic views and accidentally return data that they do not wish
to expose. So now we ask developer to be more explicit about what they
want to expose.
## vulnerability 2
This is not a web2py issue but a plugin_wiki issue. The plugin exposes
a jQuery callback. Logged -in users (and only logged-i users) can
exploit the callback to get read access to data they should not have
access to.
### the fix
simply upgrade plugin wiki. The new version used signed URLs to access
the callback. Only the intended data is exposed.
### comments
I remind you that plugin_wiki is not part of web2py and I still
consider it experimental. The new plugin wiki requires web2py 1.96.1
