I'd bet this might be a security hole:
i = web.input()
cur.execute('select passwdhash from credentials where user=?',
(i.user,))
does web.py do any automatic sanitization of input? I should probably
do something like this anyway:
# sanity checks on user input
if len(i.user) > MAX_USERNAME_LEN:
raise web.unauthorized()
if not i.user.isalnum():
raise web.unauthorized()
--
You received this message because you are subscribed to the Google Groups
"web.py" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/webpy?hl=en.
