django/daphne
1
1
Fork 0
mirror of https://github.com/django/daphne.git synced 2025-07-14 18:02:17 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #264 from AlexejStukov/patch-10

Browse Source 
Security fix - every field of a model is send - even password
This commit is contained in:
Andrew Godwin 2016-07-22 21:32:32 -04:00 committed by GitHub
commit 8c6050fbba
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
channels/binding/websockets.py
View File

@ -31,6 +31,11 @@ class WebsocketBinding(Binding):
stream = None stream = None
# only model fields that are listed in fields should be send by default
# if you want to really send all fields, use fields = ['__all__']
fields = []
# Outbound # Outbound
@classmethod @classmethod
def encode(cls, stream, payload): def encode(cls, stream, payload):
@ -49,7 +54,11 @@ class WebsocketBinding(Binding):
""" """
Serializes model data into JSON-compatible types. Serializes model data into JSON-compatible types.
""" """
data = serializers.serialize('json', [instance]) if self.fields == ['__all__']:
self.fields = None
elif not self.fields:
raise ValueError("You must set the fields attribute on Binding %r!" % self.__class__)
data = serializers.serialize('json', [instance], fields=self.fields)
return json.loads(data)[0]['fields'] return json.loads(data)[0]['fields']
# Inbound # Inbound