From d07600f04bb9603506386ccf959d4c499aba556a Mon Sep 17 00:00:00 2001 From: AlexejStukov Date: Thu, 21 Jul 2016 21:06:25 +0200 Subject: [PATCH 1/3] Security fix - every field of a model is send - even password Atm WebsocketBinding sends every field of a model, even the password of a user. Users of the class should have to think about which fields they want to send to the user. Also added a more intuitive option for sending all fields. --- channels/binding/websockets.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/channels/binding/websockets.py b/channels/binding/websockets.py index 5252299..0e1409e 100644 --- a/channels/binding/websockets.py +++ b/channels/binding/websockets.py @@ -30,6 +30,11 @@ class WebsocketBinding(Binding): # Stream multiplexing name stream = None + + # only model fields that are listed in fields should be send by default + # if you want to really send all fields, use fields = ['__all__'] + + fields = [] # Outbound @classmethod @@ -49,7 +54,9 @@ class WebsocketBinding(Binding): """ Serializes model data into JSON-compatible types. """ - data = serializers.serialize('json', [instance]) + if self.fields == ['__all__']: + self.fields = None + data = serializers.serialize('json', [instance], fields=self.fields) return json.loads(data)[0]['fields'] # Inbound From 6eda634746d8e8d4fd831747d52e6e1270cdfc4e Mon Sep 17 00:00:00 2001 From: AlexejStukov Date: Thu, 21 Jul 2016 21:08:47 +0200 Subject: [PATCH 2/3] whitespace --- channels/binding/websockets.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/channels/binding/websockets.py b/channels/binding/websockets.py index 0e1409e..b211442 100644 --- a/channels/binding/websockets.py +++ b/channels/binding/websockets.py @@ -30,10 +30,10 @@ class WebsocketBinding(Binding): # Stream multiplexing name stream = None - + # only model fields that are listed in fields should be send by default # if you want to really send all fields, use fields = ['__all__'] - + fields = [] # Outbound From 4625266db6047b78c91d1a97f63738955adb237b Mon Sep 17 00:00:00 2001 From: AlexejStukov Date: Fri, 22 Jul 2016 08:17:49 +0200 Subject: [PATCH 3/3] raise error if self.fields is empty --- channels/binding/websockets.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/channels/binding/websockets.py b/channels/binding/websockets.py index b211442..fcd97ef 100644 --- a/channels/binding/websockets.py +++ b/channels/binding/websockets.py @@ -56,6 +56,8 @@ class WebsocketBinding(Binding): """ if self.fields == ['__all__']: self.fields = None + elif not self.fields: + raise ValueError("You must set the fields attribute on Binding %r!" % self.__class__) data = serializers.serialize('json', [instance], fields=self.fields) return json.loads(data)[0]['fields']