Invalid view in 1.97.1

374 views
Skip to first unread message

Gary Herron

unread,
Jun 30, 2011, 1:33:38 AM6/30/11
to web2py-users
I'm getting an occasional "invalid view" error since I upgraded to
1.97.1. Since it was on a web site I was experimenting/learning with,
I thought it might be my problem, but I no longer think so.

On controllers with no corresponding view, there is supposed to be a
generic view which handles the formating of the page -- but that seems
to have gotten lost in 1.97.1 -- in at least some cases.

Here is a page right out of web2py.com which (I'm pretty sure) used to
work, but now exhibits this error:
Visit
http://web2py.com/examples/simple_examples/hello6
and get
invalid view (simple_examples/hello6.html)

Any clues, fixes, explanations would be welcome.

Thanks,

Gary Herron

--
Gary Herron, PhD.
Department of Computer Science
DigiPen Institute of Technology
(425) 895-4418


Anthony

unread,
Jun 30, 2011, 1:39:04 AM6/30/11
to web...@googlegroups.com
On Thursday, June 30, 2011 1:33:38 AM UTC-4, Gary wrote:
I'm getting an occasional "invalid view" error since I upgraded to
1.97.1.  Since  it was on a web site I was experimenting/learning with,
I thought it might be my problem, but I no longer think so.

On controllers with no corresponding view, there is supposed to be a
generic view which handles the formating of the page -- but that seems
to have gotten lost in 1.97.1 -- in at least some cases.

This change is by design, due to a potential security vulnerability. See https://groups.google.com/d/msg/web2py/JR_pyGVfm_g/VlCfeKZWAvkJ.
 

Here is a page right out of web2py.com which (I'm pretty sure) used to
work, but now exhibits this error:
Visit
     http://web2py.com/examples/simple_examples/hello6
and get
     invalid view (simple_examples/hello6.html)

Good catch -- that example should be fixed.
 
Anthony

Bruno Rocha

unread,
Jun 30, 2011, 1:40:30 AM6/30/11
to web...@googlegroups.com
By default, generic views will be disabled, it is a security issue,

but you can active at your own risk.

in any model file include


response.generic_patterns = ['*']


And it will enable all generic views.


Massimo needs to update the example app to get this working again.

--



--
Bruno Rocha
[ Aprenda a programar: http://CursoDePython.com.br ]
[ O seu aliado nos cuidados com os animais: http://AnimalSystem.com.br ]
[ Consultoria em desenvolvimento web: http://www.blouweb.com ]

pbreit

unread,
Jun 30, 2011, 1:51:56 AM6/30/11
to web...@googlegroups.com
Or this if you can get by with them only being available on "localhost":

# by default give a view/generic.extension to all actions from localhost
# none otherwise. a pattern can be 'controller/function.extension'
response.generic_patterns = ['*'] if request.is_local else []

Gary Herron

unread,
Jun 30, 2011, 3:24:36 AM6/30/11
to web...@googlegroups.com

I see. This is a nice solution. Thanks.

I'm curious to know what is the security risk being avoided here. I
vaguely remember it being discussed here -- time to search the archives
I guess.

pbreit

unread,
Jun 30, 2011, 7:31:26 AM6/30/11
to web...@googlegroups.com
If you pass, for example, an auth_user record to a view, you can view all the fields of that record by changing the extension. If you're passin locals() you can view even more. This is because the generics are designed to display everything that they can. Helpful during development but not appropriate for production.
Reply all
Reply to author
Forward
0 new messages