Very good security upgrade About conditional models, what are they exactly?
On 3 jun, 17:23, Massimo Di Pierro <massimo.dipie...@gmail.com> wrote: > We fixed a few more bugs (strangely most of them preexisting 1.96.1). > We also addressed two security issues as I will explain later in this > email: > > here is am reporting the 1.96.1 changelog with some additions > > Changelog: > - "from gluon import *" imports in every python module a web2py > environment (A, DIV,..SQLFORM, DAL, Field,...) including > current.request, current.response, current.session, current.T, > current.cache, thanks Jonathan. > - conditional models in > models/<controller>/a.py and models/<controller>/<function>/a.py > - from mymodule import *, looks for mymodule in applications/thisapp/ > modules first and then in sys.path. No more need for local_import. > Thanks Pierre. > - usage of generic.* views is - by default - restricted to localhost > for security. This can be changed in a granular way with: > response.generic_patterns=['*']. This is a slight change of behavior > for new app but a major security fix. > - all applications have cas 2.0 provider athttp://.../user/cas/login > - all applications can delegate to login to external provider > Auth(...,cas_provider='http://.../other_app/default/user/cas') > - A(...,callback=URL(...),larget='id') does Ajax > - URL(...,user_signature=True), LOAD(...,user_signature=True) can > sign > urls and @auth.requires_signature() will check the signature for any > decorated action. > - DAL(...,migrate_enabled=False) to disable all migrations > - DAL(...,fake_migrate_all=True) to rebuild all corrupted metadata > - new DAL metadata format (databases/*.table) > - DAL(...,adapter_arg={}) allows support for alternate drivers > - DAL now allows circular table defintions > - DAL(..,auto_import=True) automatically imports tables from metadata > without need to db.define_table(...)s. > - new alterante syntax for inner joins: db(...).select(join=...) > - experimental cubrid database support > - DAL 'request_tenant' fields are special, the altomatically filer > all > records based on their default value. > - db._common_fields.append(Field('owner')) allows to add fields to > ALL > tables > - DAL ignores repeated fields with same names > - web2py_ajax.html is more modular, thanks Anthony > - request.is_local > - request.is_http > - new sessions2trash.py thanks Jim Karsten > - corrupted cache files are automatically deleted > - new simpler API gluon.contrib.AuthorizeNet.procss(...) > - fixed recaptcha (as they released new API) > - messages in validators have default internationalization > - No more Auth(globals(),db), just Auth(db). Same for Crud and > Service. > - scripts/access.wsgi allows apache+mod_wsgi to delegate > authentication of any URL to any web2py app > - json now supports T(...) > - scripts/setup-web2py-nginx-uwsgi-ubuntu.sh > - web2py HTTP responses now set: "X-Powered-By: web2py", thanks Bruno > - mostly fixed generic.pdf. You can view any page in PDF if you have > pdflatex installed or if your html follows the pyfpdf convention. > - auth.settings.extra_fields['auth_user'].append(Field('country')) > allows to extend auth_* tables without need of definiting a custom > auth_* table. Must be placed before auth.define_tables() > - {{=response.toolbar()}} to help you debug applications > - web based shell now supports object modifications (but no > redefinitions of non-serializable types) > - jQuery 1.6.1 > - more secure uuid function to protect sessions form cryptographic > attacks > - auto logout of appadmin > - Lots of bug fixes > > ## Security wanring > > This release fixes two security issues: > > 1) web2py used random to generate uuid. This is mostly fine but it was > technically possible for an attacker to retrieve a lot of session > uuids, extrapolate information about the pseudo-random-generator and > use the information to guess somebody else's session. Our new > contributor and security expert David Wager, spotted this problem and > suggested rewriting the web2py uuid function used for generating > session names. The new function uses /dev/urandom as entropy source > and falls back to the old method when the entropy source is not > available, issuing a warning. > > 2) appadmin uses admin authentication but failed to detect expires > sessions (60minutes). This has now been corrected.
