I'm pretty sure this is bad

natestedman / Observatory

A Python based dashboard for the Rensselaer Center for Open Source Software. For continued development, please see http://github.com/rcos/observatory

rcos.rpi.edu

ISC License

8 stars 14 forks source link

I'm pretty sure this is bad #33

Closed colinsullivan closed 13 years ago

colinsullivan commented 13 years ago

https://github.com/NateStedman/Observatory/blob/1b0f36aafc0af5f6ec4f7df968cf7934159f077e/observatory/dashboard/users.py#L35

Using those POST variables directly makes SQL injection possible I believe. Should have a django form and use the cleaned_data member.

Can use stuff from django.contrib.auth.forms: http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/forms.py

hortont424 commented 13 years ago

Unlikely that it makes SQL injection possible, as it's quite likely that User.objects.create_user uses proper substitution to construct the insertion. However, XSS or something like that... quite a bit more likely.

Did I say likely enough?

natestedman commented 13 years ago

Will fix this along with the addition of recaptcha (general cleanup of login/registration)

colinsullivan commented 13 years ago

Could extend the django.contrib.auth forms and add some of this:

http://djangosnippets.org/snippets/1653/

GraylinKim commented 13 years ago

Closed!