[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #10754 [Tor Support]: Implement an invitation based token system into webchat



#10754: Implement an invitation based token system into webchat
-----------------------------+--------------------------
     Reporter:  Sherief      |      Owner:  Sherief
         Type:  task         |     Status:  needs_review
     Priority:  blocker      |  Milestone:
    Component:  Tor Support  |    Version:
   Resolution:               |   Keywords:  SponsorO
Actual Points:               |  Parent ID:  #10755
       Points:               |
-----------------------------+--------------------------

Comment (by Sherief):

 Replying to [comment:30 lunar]:
 > Replying to [comment:29 Sherief]:
 > > > What if an attacker manage to add data to the DB without going
 through Django's validation process?
 > >
 > > That's not even possible because:
 > > 1) `token_page()` is decorated with `@login_required`.
 > > 2) you cannot access create_token() because it's not mentioned in
 urls.py like `token_page()` and `login()`.
 >
 > An attacker could gain direct access to the SQL database.

 I am using sqlite, I am not sure how can an attacker get access to that
 unless he has access to the VM. And what does that have to do with
 cleaning the comment input before submitting to the database?

 Anyway, I will use `django.db.models.Model.full_clean` to clean the data
 before submission.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10754#comment:31>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs