On Tuesday, August 30, 2011 8:05:59 AM UTC-4, Phyo Arkar wrote: > > I having the same problem , with all my json calls , which are not with > jsonrpc. > I found this post and i tried adding > > response.generic_patterns = ['*'] > > and it worked! Thanks alot rammi you save a life.I will never updating > web2py unless something major improved. > Note, changes in web2py only cause breaks like this when they are fixing bugs or resolving a security vulnerability. In this case, there was a security vulnerability, and it might be good that it broke your application, because it could prompt you to discover and fix a vulnerability. In fact, you probably should not simply set response.generic_patterns = ['*'], as that will completely restore the old behavior and therefore leave you open to the vulnerability. Instead, you should be more specific with response.generic_patterns.
If you enable generic.json for all requests (which is what you have done), then a malicious user can go to _any_ function in _any_ controller in you app (even functions that you do not intend to serve via JSON) and get a JSON view of whatever is returned by that function. If your function returns any variables that you do not want exposed to all users or returns a database select that includes some fields you do not want to expose to all users, those variables and fields will be exposed via JSON. For example, if you return some user records to a view (e.g., a list of users/members), all fields will be exposed (including the password field). To be safest, it is best to conditionally set response.generic_patterns = ['json'] only when needed. You could set it inside the functions that need to serve JSON, or set it conditionally in a model depending on the incoming request. Note, generic_patterns can be a list of globs that match the incoming controller/function.extension. Anthony >
