anywhere you like: response.headers['Content-Type']='test/html'
On Jun 3, 11:35 am, "David J." <da...@styleflare.com> wrote: > Where do we set the response headers? > > On 6/3/11 12:17 PM, GoldenTiger wrote: > > > > > > > > > Very good security upgrade > > > About conditional models, what are they exactly? > > > On 3 jun, 17:23, Massimo Di Pierro<massimo.dipie...@gmail.com> wrote: > >> We fixed a few more bugs (strangely most of them preexisting 1.96.1). > >> We also addressed two security issues as I will explain later in this > >> email: > > >> here is am reporting the 1.96.1 changelog with some additions > > >> Changelog: > >> - "from gluon import *" imports in every python module a web2py > >> environment (A, DIV,..SQLFORM, DAL, Field,...) including > >> current.request, current.response, current.session, current.T, > >> current.cache, thanks Jonathan. > >> - conditional models in > >> models/<controller>/a.py and models/<controller>/<function>/a.py > >> - from mymodule import *, looks for mymodule in applications/thisapp/ > >> modules first and then in sys.path. No more need for local_import. > >> Thanks Pierre. > >> - usage of generic.* views is - by default - restricted to localhost > >> for security. This can be changed in a granular way with: > >> response.generic_patterns=['*']. This is a slight change of behavior > >> for new app but a major security fix. > >> - all applications have cas 2.0 provider athttp://.../user/cas/login > >> - all applications can delegate to login to external provider > >> Auth(...,cas_provider='http://.../other_app/default/user/cas') > >> - A(...,callback=URL(...),larget='id') does Ajax > >> - URL(...,user_signature=True), LOAD(...,user_signature=True) can > >> sign > >> urls and @auth.requires_signature() will check the signature for any > >> decorated action. > >> - DAL(...,migrate_enabled=False) to disable all migrations > >> - DAL(...,fake_migrate_all=True) to rebuild all corrupted metadata > >> - new DAL metadata format (databases/*.table) > >> - DAL(...,adapter_arg={}) allows support for alternate drivers > >> - DAL now allows circular table defintions > >> - DAL(..,auto_import=True) automatically imports tables from metadata > >> without need to db.define_table(...)s. > >> - new alterante syntax for inner joins: db(...).select(join=...) > >> - experimental cubrid database support > >> - DAL 'request_tenant' fields are special, the altomatically filer > >> all > >> records based on their default value. > >> - db._common_fields.append(Field('owner')) allows to add fields to > >> ALL > >> tables > >> - DAL ignores repeated fields with same names > >> - web2py_ajax.html is more modular, thanks Anthony > >> - request.is_local > >> - request.is_http > >> - new sessions2trash.py thanks Jim Karsten > >> - corrupted cache files are automatically deleted > >> - new simpler API gluon.contrib.AuthorizeNet.procss(...) > >> - fixed recaptcha (as they released new API) > >> - messages in validators have default internationalization > >> - No more Auth(globals(),db), just Auth(db). Same for Crud and > >> Service. > >> - scripts/access.wsgi allows apache+mod_wsgi to delegate > >> authentication of any URL to any web2py app > >> - json now supports T(...) > >> - scripts/setup-web2py-nginx-uwsgi-ubuntu.sh > >> - web2py HTTP responses now set: "X-Powered-By: web2py", thanks Bruno > >> - mostly fixed generic.pdf. You can view any page in PDF if you have > >> pdflatex installed or if your html follows the pyfpdf convention. > >> - auth.settings.extra_fields['auth_user'].append(Field('country')) > >> allows to extend auth_* tables without need of definiting a custom > >> auth_* table. Must be placed before auth.define_tables() > >> - {{=response.toolbar()}} to help you debug applications > >> - web based shell now supports object modifications (but no > >> redefinitions of non-serializable types) > >> - jQuery 1.6.1 > >> - more secure uuid function to protect sessions form cryptographic > >> attacks > >> - auto logout of appadmin > >> - Lots of bug fixes > > >> ## Security wanring > > >> This release fixes two security issues: > > >> 1) web2py used random to generate uuid. This is mostly fine but it was > >> technically possible for an attacker to retrieve a lot of session > >> uuids, extrapolate information about the pseudo-random-generator and > >> use the information to guess somebody else's session. Our new > >> contributor and security expert David Wager, spotted this problem and > >> suggested rewriting the web2py uuid function used for generating > >> session names. The new function uses /dev/urandom as entropy source > >> and falls back to the old method when the entropy source is not > >> available, issuing a warning. > > >> 2) appadmin uses admin authentication but failed to detect expires > >> sessions (60minutes). This has now been corrected.
