[Jifty-commit] r5549 - in jifty/trunk: lib/Jifty/Plugin/REST
Jifty commits
jifty-commit at lists.jifty.org
Tue Jul 15 10:44:12 EDT 2008
Author: trs
Date: Tue Jul 15 10:44:11 2008
New Revision: 5549
Modified:
jifty/trunk/ (props changed)
jifty/trunk/lib/Jifty/Plugin/REST/Dispatcher.pm
Log:
r37342 at zot: tom | 2008-07-15 10:43:23 -0400
Fix a security hole which lets you call any method on the model. We were checking the load by column with valid_column instead of the display field.
Modified: jifty/trunk/lib/Jifty/Plugin/REST/Dispatcher.pm
==============================================================================
--- jifty/trunk/lib/Jifty/Plugin/REST/Dispatcher.pm (original)
+++ jifty/trunk/lib/Jifty/Plugin/REST/Dispatcher.pm Tue Jul 15 10:44:11 2008
@@ -516,7 +516,7 @@
$rec->can($field) or abort(404);
# Check that the field is actually a column (and not some other method)
- abort(404) unless valid_column($model, $column);
+ abort(404) unless valid_column($model, $field);
outs( [ 'model', $model, $column, $key, $field ],
Jifty::Util->stringify($rec->$field()) );
More information about the Jifty-commit
mailing list