Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #1908 (closed defect: fixed)

Opened 11 years ago

Last modified 11 years ago

Paginate: malicious/incorrect odering parameter can cause ALL records to be selected

Reported by: dazzawazza Owned by: anonymous
Priority: normal Milestone:
Component: TurboGears Version: 1.0.5
Severity: normal Keywords:


Legacy url's can include an ordering parameter for a column that does not exist in the table being paginated. This causes to paginate code to get all records from the table which can be harmful for large datasets.

The fix discussed on the TG Mailing list is to add a parameter to limit the maximum number of records retrieved.

 Mailing List discussion.

Change History

comment:1 Changed 11 years ago by chrisz

  • Status changed from new to closed
  • Resolution set to fixed

Fixed in r5025, max_limit and max_sort parameters have been added to the paginate decorator.

Note: See TracTickets for help on using tickets.