Note, restoring apps to the original behavior requires just this single line in any model file: response.generic_patterns=['*'] Anthony
On Wednesday, August 3, 2011 5:02:28 PM UTC-4, Kevin Butler wrote: > Let me preface this by saying that I really enjoy web2py, and that it's a > testament to the great efforts that Massimo puts into maintaining backwards > compatibility that made this change such a painful surprise... > > 1.96.1 includes a security fix that breaks existing applications by > disabling generic views. *[release notes included at the end of this post]. > > The fix was made for good reasons (because saying "Don't do that" isn't a > good security solution), but it really does break existing applications - > see http://web2py.com/examples/default/examples 3rd example, click the > hello3.json and hello3.xml links - "invalid view > (simple_examples/hello3.xml)". Multiple other examples on that page are > also broken. By definition, these examples are the way users learn to write > web2py apps - and they're broken. > > Application-breaking changes really MUST be highlighted more than just > mentioning a security fix with a "slight change of behavior for new app" in > the release notes. I would like to have been warned on every startup until > I acknowledged the changes: "You have upgraded web2py from version X to > version Y . The following changes have been made that change the behavior of > your applications: 1.96.1 - generic views are now disabled by default. This > may cause invalid view errors, ..." > > Furthermore, the localhost exemption hides the breakage - letting you > exhaustively test the application locally, where it works fine, then deploy > it where it breaks for your users. (Guess I need a non-local staging > location...) I believe this exemption should be removed (it is easy enough > to add explicitly in db.py if developers want a localhost exemption). > > Finally, the error message "invalid view (simple_examples/hello3.xml)" ( > http://web2py.com/examples/simple_examples/hello3.xml) is confusing to > users and doesn't help the developer know what is wrong. > > Ideally, this situation would invoke the traceback mechanism with an error > message including instructions for the developer: > > web2py generic views are disabled by default because they could expose > more fields of objects returned from your controller methods than you > intended to expose in your custom view. To enable generic views in spite of > this security risk, add the following line to your db.py: > response.generic_patterns = ['*'] > > kb > > * The security problem occurs if you return sensitive data from your > controller methods and attempt to hide it in your custom view, the hiding > can be circumvented with the generic views. > > Security description in the release notes for 1.96.1 doesn't indicate this > release is not backwards compatible: usage of generic.* views is - by > default - restricted to localhost for security. This can be changed in a > granular way with: response.generic_patterns=['*']. This is a slight change > of behavior for new app but a major security fix. > """ http://www.web2py.com/examples/default/changelog > > Massimo's announcement of the problem in the mailing list is informative: > https://groups.google.com/d/msg/web2py/26g9XA_0ZXE/4yiIHs5FivkJ > >
