- Committer: mattgiuca
- Date: 2008-07-21 04:21:18 UTC
- Revision ID: svn-v3-trunk0:2b9c9e99-6f39-0410-b283-7f802c844ae2:trunk:917
interpret.py: Removed the code which removes HTTP_COOKIE from the CGI
environment. Student code can now access cookies.
Note: This was previously a security risk because malicious code could
steal IVLE cookies. Now that we have separate domain space for other users,
the worst you can do is:
a) Steal your own IVLE cookie.
b) Steal other user's non-IVLE cookies (ie. other public cookies).
This makes all student code vulnerable to cookie theft, but that is simply a
disclaimer (if you use cookies, your apps are vulnerable). It is not a
security risk to IVLE itself.
environment. Student code can now access cookies.
Note: This was previously a security risk because malicious code could
steal IVLE cookies. Now that we have separate domain space for other users,
the worst you can do is:
a) Steal your own IVLE cookie.
b) Steal other user's non-IVLE cookies (ie. other public cookies).
This makes all student code vulnerable to cookie theft, but that is simply a
disclaimer (if you use cookies, your apps are vulnerable). It is not a
security risk to IVLE itself.
| Filename | Latest Rev | Last Changed | Committer | Comment | Size | ||
|---|---|---|---|---|---|---|---|
 ..
|
|||||||
__init__.py |
409 | 17 years ago | mattgiuca | Moved www/conf and www/common to a new directory l | Empty |
|
|
|
caps.py |
488 | 17 years ago | drtomc | caps.py: Added more capabilities and descriptions. | 5.1 KB |
|
|
|
cgirequest.py |
851 | 16 years ago | wagrant | Give CGIRequest an exception handler which turns a | 11.9 KB |
|
|
|
chat.py |
544 | 17 years ago | mattgiuca | chat.py: When an exception is caught, now returns | 3.6 KB |
|
|
|
date.py |
892 | 16 years ago | wagrant | fileservice_lib: Give date pretty-printing functio | 2.4 KB |
|
|
|
db.py |
876 | 16 years ago | mattgiuca | common/db.py: Added add_enrolment method. | 35.9 KB |
|
|
|
forumutil.py |
671 | 16 years ago | dcoles | forum: Now uses a unique secret generated at './se | 1.6 KB |
|
|
|
interpret.py |
917 | 16 years ago | mattgiuca | interpret.py: Removed the code which removes HTTP_ | 16.1 KB |
|
|
|
makeuser.py |
912 | 16 years ago | dcoles | Makeuser: Makeuser will now chown all files in a u | 14.5 KB |
|
|
|
studpath.py |
724 | 16 years ago | dcoles | public mode: Backend changes to enable public mode | 6 KB |
|
|
|
svn.py |
889 | 16 years ago | wagrant | common.svn: Add a method to check if a path has th | 2.3 KB |
|
|
|
user.py |
669 | 16 years ago | mattgiuca | Timestamps are now stored within the program as Py | 4.2 KB |
|
|
|
util.py |
851 | 16 years ago | wagrant | Give CGIRequest an exception handler which turns a | 7 KB |
|
|
|
zip.py |
763 | 16 years ago | mattgiuca | Zip file uploading now works. (Patch submitted by | 4.3 KB |
|
|