Django 1.8.2 security release patches unusually dangerous bug – update ASAP (opens in new tab)

(djangoproject.com)

17 pointsGlennCSmith11y ago5 comments

5 comments

5 comments · 3 top-level

codygman11y ago· 2 in thread

Adding to my list of security vulnerabilities that static typing would have prevented.

jtokoph11y ago

Isn't an empty string still a string?

codygman11y ago

Right, the issue here is just using null or "". You could use an Optional or Maybe type here. Even better you could define:

    data SessionKey = ValidSessionKey | InvalidSessionKey

Then the developer making the modification code would have been much less likely to type "InvalidSessionKey" whereas the None/"" behavior is just an idiom. The problem here is that the domain knowledge of: "" is a valid session

wasn't communicated by the code.

GlennCSmithOP11y ago

This is an unusually dangerous security bug. Definitely agree with the Django team that all users of Django 1.8 should upgrade as soon as possible.

omouse11y ago

still stuck on Django 1.6.x; also stuck with Python 2.7.x; fear is the order of the day when it comes to upgrades.

j / k navigate · click thread line to collapse