we found two vulnerabilities that have been fixed in the latest release of web2py (1.96.1) and plugin_wiki (which requires web2py 1.96.1)
## Vulnerability 1 Consider this action def index(): a = 1 b = 2 return locals() and the view {{=a}} You clearly intended to expose only a, not b. But if you call the action with .json, both a and b will be serialized by the generic.json view. ### the fix generic view are now disabled by default. You can enable them from localhost with: response.generic_patterns = ['*'] if request.is_local else [] where '*' is a patter to be matched against the controller/ action.extension that you want to expose using generic views. ### comments Although we decided to classify this as a vulnerability, this actually was the intended behavior. Data returned by the view was to be considered readable to the user. We had a debate on web2py_developers whether this needed a fix. Turns out most people (including me) forgot about generic views and accidentally return data that they do not wish to expose. So now we ask developer to be more explicit about what they want to expose. ## vulnerability 2 This is not a web2py issue but a plugin_wiki issue. The plugin exposes a jQuery callback. Logged -in users (and only logged-i users) can exploit the callback to get read access to data they should not have access to. ### the fix simply upgrade plugin wiki. The new version used signed URLs to access the callback. Only the intended data is exposed. ### comments I remind you that plugin_wiki is not part of web2py and I still consider it experimental. The new plugin wiki requires web2py 1.96.1