On occasion, Pylons may throw warnings. This page includes all warnings thrown by various versions of Pylons for reference when they occur.
JSON Array Cross-site Exploits (XSRF/CSRF)
Many thanks to Bob Ippollito for the original JSON array document
on which this is based, with some background from Wikipedia
Naïve deployments of JSON are subject to cross-site request forgery attacks (CSRF or XSRF). Because the HTML <script> tag does not respect the same origin policy in web browser implementations, a malicious page can request and obtain JSON data belonging to another site. This will allow the JSON-encoded data to be evaluated in the context of the malicious page, possibly divulging passwords or other sensitive data if the user is currently logged into the other site. (Although the JSON data, as an object literal, would normally evaluate to a constant and so not be visible to the attacker, by overriding the Array() prototype the attacker can feed the JSON data through their own interceptor.)
This exploit is only applicable to JSON that also happens to be valid JavaScript code. The only type of JSON that is valid JavaScript code without parentheses is a JavaScript array (or bare primitives, but those are not interesting or exploitable).
Exploitable:
1 | [{"object": "inside an array"}]
|
NOT Exploitable:
1 | {"object": "not inside an array"}
|
Also NOT Exploitable:
1 | {"result": [{"object": "inside an array"}]}
|
Due to this possible exploit, Pylons @jsonify decorator will throw warnings should it be asked to jsonify an array (Python list).
