No one can sneak extra unexpected fields past a developer by editing HTML
client side, because if the field wasn't rendered to HTML it's not
going to validate.
= Option 2: Deprecate Meta.exclude, but still allow a missing
Meta.fields attribute to indicate that all fields should be editable.
The policy here is essentially this: if any fields the model are
sensitive, assume all are potentially, and require whitelisting, not
blacklisting.
(I apologize if this is a duplicate - my other account appears to have an issue sending to this group)
I'm in the camp don't change it. ModelForms are doing what they are designed to do: providing a very handy short cut. It is a design decision to either use a ModelForm, or a a plain Form not tied to a model. If I want front end user functionality I use a Form, if I want admin front end functionality I use a ModelForm - I use a different approach based on the expected level of trust here. The un-desired effect would also only come into play if these new fields were not required so they would need to pass validation - yes? Actually I would suggest to remove 'fields' and leave the 'exclude' option, if I remove one two or three fields I might still have functioning ModelForm where I don't have to override save() to pass DB validation , any more excludes and a customized Form might be a better approach; having the 'fields' option implies to me I can get away using ModelForm instead of Form and have falsely in past tried to do so.
-----Original Message----- From: Luke Plant
Sent: Tuesday, June 12, 2012 7:16 PM
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to django-developers+unsubscribe@googlegroups.com.
Daniel Sokolowski
Web Engineer
Danols Web Engineering
http://webdesign.danols.com/
Office: 613-817-6833
Fax: 613-817-4553
Toll Free: 1-855-5DANOLS
Kingston, ON K7L 1H3, Canada
Notice of Confidentiality:
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review re-transmission dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error please contact the sender immediately by return electronic transmission and then immediately delete this transmission including all attachments without copying distributing or disclosing same.
--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to django-developers+unsubscribe@googlegroups.com.
On Jun 13, 2012 8:12 PM, "Doug Blank" <doug....@gmail.com> wrote:
>
> I, too, was thinking about this kind of solution. In fact, it came up
> for me the other day because I had forgotten to exclude a field that I
> did not have on the form, and so the value ended up getting wiped out
> when I saved. So, perhaps a solution that prevented others from adding
> fields could also be a solution that checked to make sure that the
> form was editing all fields it should be.
>
That suggests an idea to me. Perhaps the best way to check this isn't on the way out in the template renderer, but rather on the way back in in the form validation. If the form doesn't get back exactly those fields it sent out then you know that for whatever reason, the field was unable to make a round trip. In a ModelForm with implicit fields this is the root cause of this whole security dilemma.
This solution is parsimonious because it's easy to explain: "If a form didn't get back all the fields it expected then there was probably an error of omission rendering it. This causes a security hole where an attacker can modify fields the developer doesn't expect, for further examples see <link to description of rails debacle>"
It's an easy thing to justify turning on in an opt-out fashion, Meta.allow_partial_submissions or something.
Best,
Alex Ogier
Carl
On Jun 14, 2012 12:48 AM, "Anssi Kääriäinen" <anssi.ka...@thl.fi> wrote:
>
> This seems to be different from what Rails do: they have
> update_attributes which updates all model attributes present in the
> request, but lefts all others untouched. So, in Rails if you render
> only part of the fields in update view, then you will not get the non-
> included fields overwritten to NULL, which conveniently hides the
> problem that the fields are in fact editable through the request.
>
> To me it seems there is no similar attack vector against Django's
> implementation as there were against Rails.
>
Right, the Django situation is already considerably more secure than the Rails status quo. They have a whitelist or blacklist of attributes that they have declared "accessible", independent of forms, making it easy to misunderstand that any form can update any accessible attribute regardless of the input fields the developer has included.
Our forms only validate the fields they explicitly or implicitly include. The only way to get a security hole is to have a mismatch between the fields in your python form and the input fields in your HTML. Since all our forms are explicit, it is feasible to catch that scenario and throw an error, which I think we should do.
Best,
Alex Ogier
On Jun 14, 2012 1:54 AM, "Torsten Bronger" <bro...@physik.rwth-aachen.de> wrote:
>
> But can one guarantee that fields rendered in the browser are also
> sent back in the POST request? Even worse, how about non-browser
> requests?
>
Ugh. I forget that checkboxes don't return anything else when they are unchecked. Kind of throws a wrench in my plan.
Best,
Alex Ogier
Hi Luke,
This sounds like a good compromise between security and usability.