Ticket #1908 (closed defect: fixed)
Paginate: malicious/incorrect odering parameter can cause ALL records to be selected
Reported by: | dazzawazza | Owned by: | anonymous |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | TurboGears | Version: | 1.0.5 |
Severity: | normal | Keywords: | |
Cc: |
Description
Legacy url's can include an ordering parameter for a column that does not exist in the table being paginated. This causes to paginate code to get all records from the table which can be harmful for large datasets.
The fix discussed on the TG Mailing list is to add a parameter to limit the maximum number of records retrieved.
Mailing List discussion.
Change History
Note: See
TracTickets for help on using
tickets.
Fixed in r5025, max_limit and max_sort parameters have been added to the paginate decorator.