2010/7/26 Craig Younkins :
>> "As far I can determine, only badly-written user code could result in
>> SQL injection."
>
> And with that statement you define the world of application security. Nearly
> all the exploits and vulnerabilities we see are not because the security
> controls don't exist -
>
> "As far I can determine, only badly-written user code could result in
> SQL injection."
And with that statement you define the world of application security. Nearly
all the exploits and vulnerabilities we see are not because the security
controls don't exist - it's because they aren't used co
On Mon, Jul 26, 2010 at 1:38 PM, Alex Gaynor wrote:
> Bzzz :), we do flush the entire session here:
> http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/__init__.py#L84
Ah, you're right - thanks. Looks like it's been that way for a while:
http://code.djangoproject.com/changese
On Mon, Jul 26, 2010 at 2:57 PM, Jacob Kaplan-Moss wrote:
> Hi Craig --
>
> Once again, thanks for this work; I can see it paying off big. And I
> know you know this, but for the benefit of anyone else reading this
> thread:
>
> **PLEASE report any security issues — potential or otherwise — to
> s
Hi Craig --
Once again, thanks for this work; I can see it paying off big. And I
know you know this, but for the benefit of anyone else reading this
thread:
**PLEASE report any security issues — potential or otherwise — to
secur...@djangoproject.com.**
(More on our security policy:
http://docs.d
At Python Security [1] we are beginning to turn our focus towards an
in-depth but informal review of Django. Below is an excerpt from the email
[2] I sent to our mailing list:
[4] is the wiki page for Django. As you can see, we already have a
bunch of information.
In particular, I've taken a look
