Wow thanks alot for the notice Anthony , thats such a big security hole.
So , putting response.generic_patterns = ['json'] inside db.py , will still re-open that vulnerability? Putting it on all views that return Json will be the safest? On 8/30/11, Anthony <[email protected]> wrote: > On Tuesday, August 30, 2011 8:05:59 AM UTC-4, Phyo Arkar wrote: >> >> I having the same problem , with all my json calls , which are not with >> jsonrpc. >> I found this post and i tried adding >> >> response.generic_patterns = ['*'] >> >> and it worked! Thanks alot rammi you save a life.I will never updating >> web2py unless something major improved. >> > Note, changes in web2py only cause breaks like this when they are fixing > bugs or resolving a security vulnerability. In this case, there was a > security vulnerability, and it might be good that it broke your application, > because it could prompt you to discover and fix a vulnerability. In fact, > you probably should not simply set response.generic_patterns = ['*'], as > that will completely restore the old behavior and therefore leave you open > to the vulnerability. Instead, you should be more specific with > response.generic_patterns. > > If you enable generic.json for all requests (which is what you have done), > then a malicious user can go to _any_ function in _any_ controller in you > app (even functions that you do not intend to serve via JSON) and get a JSON > view of whatever is returned by that function. If your function returns any > variables that you do not want exposed to all users or returns a database > select that includes some fields you do not want to expose to all users, > those variables and fields will be exposed via JSON. For example, if you > return some user records to a view (e.g., a list of users/members), all > fields will be exposed (including the password field). > > To be safest, it is best to conditionally set response.generic_patterns = > ['json'] only when needed. You could set it inside the functions that need > to serve JSON, or set it conditionally in a model depending on the incoming > request. Note, generic_patterns can be a list of globs that match the > incoming controller/function.extension. > > Anthony > >>
