Hi all,
so I ran into the issue to return a list via JSON, which turbogears doesn't let me. To my understanding the vulnerability in question only exists for GET requests – at least with any half way modern browser. So wouldn't it be more consistent to only restrict json array returns if the request was a GET and not a POST ?
The problem I have with this is using a 3rd party software which requires an array response (and no, it's not critical data so I couldn't care less if anyone stole something that's indexed on google anyways).
Sure it's easy to change in tg/controllers/decoratedcontroller.py – but I rather stick to stock TG as much as possible (already have a bunch of hacks in place which makes it a pain to upgrade)
Thanks
Uwe
--
You received this message because you are subscribed to the Google Groups "TurboGears" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turbogears+...@googlegroups.com.
To post to this group, send email to turbo...@googlegroups.com.
Visit this group at https://groups.google.com/group/turbogears.
For more options, visit https://groups.google.com/d/optout.
Alessandro, I should have mentioned that I did try that config setting. But guess what:
The response has to be a dict or a string or you see other errors pop up because code down the chain expects a dict.
Thanks! I have set the allow_lists config option which is probably why using the regular json module works just the same as your solution.
Uwe