Where do we set the response headers?

On 6/3/11 12:17 PM, GoldenTiger wrote:
Very good security upgrade

About conditional models, what are they exactly?

On 3 jun, 17:23, Massimo Di Pierro<massimo.dipie...@gmail.com>  wrote:
We fixed a few more bugs (strangely most of them preexisting 1.96.1).
We also addressed two security issues as I will explain later in this

here is am reporting the 1.96.1 changelog with some additions

- "from gluon import *" imports in every python module a web2py
environment (A, DIV,..SQLFORM, DAL, Field,...) including
current.request, current.response, current.session, current.T,
current.cache, thanks Jonathan.
- conditional models in
   models/<controller>/a.py and models/<controller>/<function>/a.py
- from mymodule import *, looks for mymodule in applications/thisapp/
modules first and then in sys.path. No more need for local_import.
Thanks Pierre.
- usage of generic.* views is - by default - restricted to localhost
for security. This can be changed in a granular way with:
response.generic_patterns=['*']. This is a slight change of behavior
for new app but a major security fix.
- all applications have cas 2.0 provider athttp://.../user/cas/login
- all applications can delegate to login to external provider
- A(...,callback=URL(...),larget='id') does Ajax
- URL(...,user_signature=True), LOAD(...,user_signature=True) can
urls and @auth.requires_signature() will check the signature for any
decorated action.
- DAL(...,migrate_enabled=False) to disable all migrations
- DAL(...,fake_migrate_all=True) to rebuild all corrupted metadata
- new DAL metadata format (databases/*.table)
- DAL(...,adapter_arg={}) allows support for alternate drivers
- DAL now allows circular table defintions
- DAL(..,auto_import=True) automatically imports tables from metadata
without need to db.define_table(...)s.
- new alterante syntax for inner joins: db(...).select(join=...)
- experimental cubrid database support
- DAL 'request_tenant' fields are special, the altomatically filer
records based on their default value.
- db._common_fields.append(Field('owner')) allows to add fields to
- DAL ignores repeated fields with same names
- web2py_ajax.html is more modular, thanks Anthony
- request.is_local
- request.is_http
- new sessions2trash.py thanks Jim Karsten
- corrupted cache files are automatically deleted
- new simpler API gluon.contrib.AuthorizeNet.procss(...)
- fixed recaptcha (as they released new API)
- messages in validators have default internationalization
- No more Auth(globals(),db), just Auth(db). Same for Crud and
- scripts/access.wsgi allows apache+mod_wsgi to delegate
authentication of any URL to any web2py app
- json now supports T(...)
- scripts/setup-web2py-nginx-uwsgi-ubuntu.sh
- web2py HTTP responses now set: "X-Powered-By: web2py", thanks Bruno
- mostly fixed generic.pdf. You can view any page in PDF if you have
pdflatex installed or if your html follows the pyfpdf convention.
- auth.settings.extra_fields['auth_user'].append(Field('country'))
allows to extend auth_* tables without need of definiting a custom
auth_* table. Must be placed before auth.define_tables()
- {{=response.toolbar()}} to help you debug applications
- web based shell now supports object modifications (but no
redefinitions of non-serializable types)
- jQuery 1.6.1
- more secure uuid function to protect sessions form cryptographic
- auto logout of appadmin
- Lots of bug fixes

## Security wanring

This release fixes two security issues:

1) web2py used random to generate uuid. This is mostly fine but it was
technically possible for an attacker to retrieve a lot of session
uuids, extrapolate information about the pseudo-random-generator and
use the information to guess somebody else's session. Our new
contributor and security expert David Wager, spotted this problem and
suggested rewriting the web2py uuid function used for generating
session names. The new function uses /dev/urandom as entropy source
and falls back to the old method when the entropy source is not
available, issuing a warning.

2) appadmin uses admin authentication but failed to detect expires
sessions (60minutes). This has now been corrected.

