Opened 16 years ago
Closed 16 years ago
#7037 closed (duplicate)
__getitem__ in HttpRequest is dangerous with templates
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Keywords: | ||
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I had an interesting bug today. The default template system uses . to mean anything from method invocations to member lookup to dictionary lookup, meaning that if you put a variable on request and count on being able to use it from within a template with {{ request.variable }}, you'll get a GET or POST parameter instead if one has been passed in the request because dictionary lookup is tried first!
Like request.user that one of the middlewares put in. I believe this is a security hazard - auto-escaping helps a bit here, but basically if there's a {{ request.user }} somewhere in the code without auto-escaping, it's a security disaster waiting to happen. Just pass in a url with ?user=evilcode appended to see what I mean.
I suggest the getitem method be removed with request.REQUEST being the migration path (the documentation even recommends against request.REQUEST so I see no need to make it easier to use).
Duplicate of #3828.