-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/17/2011 02:51 PM, Luke Plant wrote:
> It's pretty easy to produce a DOS attack using only builtin template
> tags and filters, and a completely empty context e.g.:
>
> {% for a in "xxxxxxxxxxxxxxx"|make_list %}
> {% for a in "xxxxxxxxxxxxxxx"|make_list %}
> {# etc #}
> {% endfor %}
> {% endfor %}
>
> I'm sure there must be other ways to do this, and there may well be
> different other types of flaws. I guess it depends on what you mean by
> 'safe', but we certainly haven't built the template system with this in
> mind.
Yes, good point. I'd expect there are a number of ways to do something
along these lines; you'd have to render the template in a thread with a
short timeout or something.
I personally wouldn't try to use the template language with truly
untrusted input; I might (and have) with
potentially-incompetent-trusted-user input.
I guess my real point is just that I think the core request, to be able
to lock down what template tag libraries can be loaded in a template, is
a reasonable one, and "just document the restriction!" is not sufficient
reason to reject it.
Carl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7FhHUACgkQ8W4rlRKtE2exUQCgiQIioRlS6gaX8gLbGvtJVEbD
ilcAoIGM4PbeegMwPZE5jnWT7CQyORtb
=iGOW
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
