Mercurial > kallithea
changeset 6326:1b448d8a422f
utils: fix broken URL in jsonify warning
Also add a note summarizing the linked concerns.
author | Søren Løvborg <sorenl@unity3d.com> |
---|---|
date | Mon, 07 Nov 2016 15:09:13 +0100 |
parents | aa2542a6538b |
children | a2db1b9be04d |
files | kallithea/lib/utils.py |
diffstat | 1 files changed, 6 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/lib/utils.py Fri Sep 23 21:14:40 2016 +0200 +++ b/kallithea/lib/utils.py Mon Nov 07 15:09:13 2016 +0100 @@ -718,9 +718,14 @@ pylons.response.headers['Content-Type'] = 'application/json; charset=utf-8' data = func(*args, **kwargs) if isinstance(data, (list, tuple)): + # A JSON list response is syntactically valid JavaScript and can be + # loaded and executed as JavaScript by a malicious third-party site + # using <script>, which can lead to cross-site data leaks. + # JSON responses should therefore be scalars or objects (i.e. Python + # dicts), because a JSON object is a syntax error if intepreted as JS. msg = "JSON responses with Array envelopes are susceptible to " \ "cross-site data leak attacks, see " \ - "http://wiki.pylonshq.com/display/pylonsfaq/Warnings" + "https://web.archive.org/web/20120519231904/http://wiki.pylonshq.com/display/pylonsfaq/Warnings" warnings.warn(msg, Warning, 2) log.warning(msg) log.debug("Returning JSON wrapped action output")