On second thought, if SQLFORM(..., detect_record_change=True), the _formkey token is a hash of the record fields rather than a random UUID, so it would remain the same from request to request, thus enabling the exploit. Perhaps we should add a random string to the record hash in that case.
On Tuesday, August 6, 2013 3:16:53 PM UTC-4, Anthony wrote: > > > I know that there are security experts/security "fans" watching over >> web2py's code, so I'll leave this topic to them for further analysis, but >> as Anthony suggested it seems that web2py is fine. Django and Rails use a >> somewhat "static" token, while web2py generates a new one for every form. >> This cripples a little bit the javascript interaction, but seems to give >> web2py's a nicer security model until BREACH gets somehow fixed at higher >> levels. >> > > Note, I think we're OK on CSRF, but there may be other ways to use the > exploit (e.g., to get PII from a page). > > Anthony > -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
