On Wednesday, October 19, 2011 11:29:15 AM UTC-4, rochacbruno wrote: > > On Wed, Oct 19, 2011 at 1:13 PM, Harshad <hash...@gmail.com> wrote: > >> Before we close this thead, I am curious as to why/how is this a security >> risk? > > > Having a controller which returns nothing > > def index(): > return dict() > > and for example in session. > > session.mysecretvariable = "hello" > > If the index controller uses generic views, generic view will expose the > toolbar which have [session, response, request] links and your users will be > able to see all your session variables including the "mysecretvariable" >
You're somewhat protected against that because generic.html only shows the response.toolbar() if the request is local. But there are other potential issues. The general problem is that sometimes actions return more data to an html view than will actually be displayed by the view. This happens, for example, when you return a DAL Row or Rows object with multiple fields, but only display some subset of the fields (e.g., return some auth_user rows to show a list of names, but the Rows object also includes hashed passwords). Also, sometimes actions return locals() instead of an explicitly constructed dict() (bad practice, but it happens). The problem is that generic views like generic.json and generic.xml expose everything returned to them. So, although your /default/myfunc.html view may display only the data you want to expose publicly, an attacker could simply go to /default/myfunc.json, and the generic.json view will expose everything returned by the myfunc() function. To prevent this kind of inadvertent exposure, generic views are disabled by default, and you can enable specific views in specific cases by setting response.generic_patterns appropriately (the patterns indicate which views should be allowed depending on the particular controller and function requested). Anthony
