On 14 kesä, 09:03, Alex Ogier <[email protected]> wrote: > Right, the Django situation is already considerably more secure than the > Rails status quo. They have a whitelist or blacklist of attributes that > they have declared "accessible", independent of forms, making it easy to > misunderstand that any form can update any accessible attribute regardless > of the input fields the developer has included. > > Our forms only validate the fields they explicitly or implicitly include. > The only way to get a security hole is to have a mismatch between the > fields in your python form and the input fields in your HTML. Since all our > forms are explicit, it is feasible to catch that scenario and throw an > error, which I think we should do.
There is an additional important distinction between Django and Rails: In Django, when a field is not part of the POST, but it is part of the ModelForm, it will be validated and saved on basis of the POST value (that is, set to None as it is missing), In Rails, it will keep its original value from the database. Thus, in Django it is easier to spot that all of the fields in the ModelForm are editable due to "this field is required" errors on form.is_valid(), or the field getting set to NULL on form.save(). Also, users are likely to restrict the fields by hand even if they render only a part of them, as otherwise the fields will be overwritten to NULL on save. It would be useful to warn about missing POST keys. In addition to the security issue, missing HTML form elements will likely result in "overwrite to NULL" issues. We can not warn about checkboxes, as those are not always part of the POST even if they are in the HTML form, but for other fields we should be able to do the warnings. There are use cases where the warnings are just noise, so add some way to suppress the. I made a _very_ quick branch made on the above idea: on ModelForm.is_valid() the data and self.fields are checked for possible missing pieces of data. I don't know if this idea is practical due to differences in browsers. The branch is available here: https://github.com/akaariai/django/compare/warn_missing_keys I don't see our ModelForms situation as comparable to the Rails situation. The scope for security issues is much smaller for us than for Rails. - Anssi -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
