Opened 7 years ago

Closed 7 years ago

#7037 closed (duplicate)

__getitem__ in HttpRequest is dangerous with templates

Reported by: Ole Laursen <olau@…> Owned by: nobody
Component: HTTP handling Version: master
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I had an interesting bug today. The default template system uses . to mean anything from method invocations to member lookup to dictionary lookup, meaning that if you put a variable on request and count on being able to use it from within a template with {{ request.variable }}, you'll get a GET or POST parameter instead if one has been passed in the request because dictionary lookup is tried first!

Like request.user that one of the middlewares put in. I believe this is a security hazard - auto-escaping helps a bit here, but basically if there's a {{ request.user }} somewhere in the code without auto-escaping, it's a security disaster waiting to happen. Just pass in a url with ?user=evilcode appended to see what I mean.

I suggest the getitem method be removed with request.REQUEST being the migration path (the documentation even recommends against request.REQUEST so I see no need to make it easier to use).

Change History (1)

comment:1 Changed 7 years ago by ubernostrum

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #3828.

Note: See TracTickets for help on using tickets.
Back to Top