On 14 kesä, 08:53, Torsten Bronger <[email protected]> wrote: > Hall chen! > > Alex Ogier writes: > > [...] > > > That suggests an idea to me. Perhaps the best way to check this > > isn't on the way out in the template renderer, but rather on the > > way back in in the form validation. If the form doesn't get back > > exactly those fields it sent out then you know that for whatever > > reason, the field was unable to make a round trip. > > But can one guarantee that fields rendered in the browser are also > sent back in the POST request? Even worse, how about non-browser > requests?
One way is to have a .is_valid(safe_fields=list_of_fields) bypass. You could conveniently use form.is_valid(safe_field=form.fields) if you want to take chances with security. In normal use you would need to manually whitelist checkboxes, otherwise this should just work. This is safer than requiring fields in form.meta, and protects against hidden overwrites to NULL, too. Even safer is to require always whitelisting all allowed data elements in the is_valid() call. This is the most secure approach. It is pointless to debate about the approaches on the amount of security they give. This is all about the amount of convenience we are willing to sacrifice for the amount of security gained. To me it seems there isn't much security to be gained by always requiring fields, and there is much convenience lost. Still, there isn't any one right opinion here. BDFL decision seems likely here. The validation stage checking seems worth more investigation to me. If we can pull a nice usable and secure API, this would be the best choice in my opinion. Checkboxes are the real problem here. Sacrificing some security for convenience and one could just skip checkbox fields from the checking. If more security is wanted, then require manual whitelisting of checkbox fields. - Anssi -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
