Ticket #1908 (closed defect: fixed)

Opened 3 months ago

Last modified 3 months ago

Paginate: malicious/incorrect odering parameter can cause ALL records to be selected

Reported by: dazzawazza Assigned to: anonymous
Priority: normal Milestone:
Component: TurboGears Version: 1.0.5
Severity: normal Keywords:
Cc:

Description

Legacy url's can include an ordering parameter for a column that does not exist in the table being paginated. This causes to paginate code to get all records from the table which can be harmful for large datasets.

The fix discussed on the TG Mailing list is to add a parameter to limit the maximum number of records retrieved.

Mailing List discussion.

Change History

07/24/08 07:16:10 changed by chrisz

  • status changed from new to closed.
  • resolution set to fixed.

Fixed in r5025, max_limit and max_sort parameters have been added to the paginate decorator.