On Mar 7, 10:13 am, Donald Stufft <donald.stu...@gmail.com> wrote: > > For what it's worth in the context of the Homakov exploit, this has been a > well known vulnerability by the rails core for years > that they've basically said "not our problem, configure your app better" the > entire time. I think that situation is the one that > Joey was referring too.
I hope that Django has no vulnerabilities of the "WTFitude" that Ruby on Rails has with "mass assignment" vulnerabilities. I got this link from Homakov's github complaint[1]. http://enlightsolutions.com/articles/whats-new-in-edge-scoped-mass-assignment-in-rails-3-1 "If you’re using Rails and you want to be secure, you should be protecting against mass assignment. Basically, without declaring attr_accessible or attr_protected, malicious users can set any column value in your database, including foreign keys and secure data." Huh? (With a side helping of jaw dropping.) Why would you allow your users to get anywhere near the DB code? Why should it be even possible? Why would "magic" attributes make a difference? In Django, you abstract the models code (which reads and writes DB records) from the views (where all the monkey business could occur) from the urls. At least that's what I thought you should do. You also make the views in charge of checking whether your requests are POSTs or GETs. Okay, this depends on the programmer to do the right thing, but programmers are encouraged to do the right thing by the framework. You could set up a vulnerability that allows attackers to add every British PM in your Users model (from Walpole to Cameron) via a GET request. But you'd have to sabotage your own code to do so. Or am I missing something? Best regards, Peter -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.