What is the deployment configuration? What wsgi server and what web server?
Craig Younkins
On Tue, Jul 24, 2012 at 5:55 PM, Massimo Di Pierro <
massimo.dipie...@gmail.com> wrote:
> Is there an open issue about this? If not, can you open one with more
> details?
>
>
> On
n=4))
finally:
web2py_uuid_locker.release()
--
Craig Younkins
6 PM, mdipierro wrote:
> I did not know this would work in attributes. I tried and yes, it
> works!
> The patch is now in trunk. Please check it.
>
> Massimo
>
> On 14 Lug, 12:01, Craig Younkins wrote:
> > Yes, you can escape both a and b such that it works in either cont
x27;, b=' x"y ')
>
> #view
> {{=b}}
>
> Notice that a and b have the same value. a should be escaped as x\"y
> while this escaping would be wrong for b.
> Are you telling me there is a way to escape both a and b that works in
> both way whatever the context?
&
n dict(data='" onload="alert(1);" bad="')
View:
Output:
The same attack works with single quoted attributes. While you're right, we
can't do full proper escaping without knowing the context, I don't think
quotes should be permitted in any web context.
--
Craig Younkins
which the caller
need provide. It gets a little complicated to determine what code path will
execute because of how it depends on these two params. Like I said before,
I'd love to see these be statically set in the application configuration so
there is only one algorithm and one key that is u
hon web2py.py -S testapp' but it did not generate a new
value for auth.settings.hmac_key in db.py. Should it have?
It appears to use MD5 by default unless an alternative is specified,
such as SHA512.
Please feel free to discuss!
Craig Younkins
On Jun 30, 9:58 am, mdipierro wrote:
> Hi Craig,
>
> You
Hello there! My name is Craig Younkins. I'm a summer intern at OWASP,
the Open Web Application Security Project. This summer I'm working
heavily on web security in Python.
First, I would like to praise Dr. Di Pierro and all the web2py
contributors for their focus on security. Examining
8 matches
Mail list logo
