On 17 kesä, 23:14, Erik Romijn <[email protected]> wrote: > Especially after seeing Jessica McKellar's keynote at Djangocon EU, on > the experience of novice developers when using Django, I strongly feel > we should not leave the situation as it is. Although this risk and it's > mitigations may be obvious to people on this list, a more novice > developer using Django is much more likely to overlook this issue.
I find the option of raising warnings or errors on missing data elements the best option forward. There is one unfortunate downside, that is we can't do this for checkboxes. So, it would be possible to have a hidden-editable checkbox field. The scope of this vulnerability is different than in Rails. In Rails the fields not included in the HTML form are not edited at all, in Django they are edited always - if there is no data in the sent HTML form, they are set to None. Thus, you will usually spot they are editable. This can bite the user if there is a security sensitive nullable field, which usually store the null value (so that you won't easily spot the overwrite to null), you use a modelform with the field present, and render only part of the fields of that form. Adding a warning or error on missing data elements would be a security improvement, and a usability improvement, too. If the field is not nullable, you will not see the validation error, as the field isn't part of the form you are rendering and you are left wondering why didn't the form validate. If the field is nullable, and you don't spot the overwrite to null, then you got a potential data loss or security issue. If the error/warning would be added, the scope of this security issue would be limited to checkboxes, and even then to checkboxes which usually contain the non-checked value, are security sensitive and you are using a ModelForm with the checkbox field present, but not rendering it in your html form. If it is decided that 'fields' is required I think we should still add the warning for missing data elements. Even if 'fields' is present in the form's meta, you can do the same mistake this whole thread is about. For the record, Rails handles checkboxes by adding a hidden input with the same name just above the checkbox. If the checkbox isn't checked, then the hidden field's value is sent, if the checkbox is checked, the checkbox value will be sent. - Anssi -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
