[tor-bugs] #10754 [Tor Support]: Implement an invitation based token system into webchat
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 15 18:35:53 UTC 2014
#10754: Implement an invitation based token system into webchat
-----------------------------+--------------------------
Reporter: Sherief | Owner: Sherief
Type: task | Status: needs_review
Priority: blocker | Milestone:
Component: Tor Support | Version:
Resolution: | Keywords: SponsorO
Actual Points: | Parent ID: #10755
Points: |
-----------------------------+--------------------------
Comment (by Sherief):
Replying to [comment:30 lunar]:
> Replying to [comment:29 Sherief]:
> > > What if an attacker manage to add data to the DB without going
through Django's validation process?
> >
> > That's not even possible because:
> > 1) `token_page()` is decorated with `@login_required`.
> > 2) you cannot access create_token() because it's not mentioned in
urls.py like `token_page()` and `login()`.
>
> An attacker could gain direct access to the SQL database.
I am using sqlite, I am not sure how can an attacker get access to that
unless he has access to the VM. And what does that have to do with
cleaning the comment input before submitting to the database?
Anyway, I will use `django.db.models.Model.full_clean` to clean the data
before submission.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10754#comment:31>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list