[views/primary] some inner sections should use the `limit` by default to avoid a denial of service (closes #2719110)
Today, it is possible to call .related and get a huge unlimited
database-dos-inducing resultset that will be nevertheless limited a
bit further in pure python in the `autolimited` view.
While we cannot completely avoid potential denial of services such as
these we mitigate the problem with the default ui settings: if the
inner vid is `autolimited`, then the relation result sets is computed
using the user-defined limit.
This change respects the semantics of the `autolimited` view and
shouldn't break anything.
import base64
from cubicweb.server.utils import crypt_password
dbdriver = config.sources()['system']['db-driver']
from logilab.database import get_db_helper
dbhelper = get_db_helper(driver)
insert = ('INSERT INTO cw_cwuser (cw_creation_date,'
' cw_eid,'
' cw_modification_date,'
' cw_login,'
' cw_firstname,'
' cw_surname,'
' cw_last_login_time,'
' cw_upassword,'
' cw_cwuri) '
"VALUES (%(mtime)s, %(eid)s, %(mtime)s, %(login)s, "
" %(firstname)s, %(surname)s, %(mtime)s, %(pwd)s, 'foo');")
update = "UPDATE entities SET source='system' WHERE eid=%(eid)s;"
rset = sql("SELECT eid,type,source,extid,mtime FROM entities WHERE source!='system'", ask_confirm=False)
for eid, type, source, extid, mtime in rset:
if type != 'CWUser':
print "don't know what to do with entity type", type
continue
if not source.lower().startswith('ldap'):
print "don't know what to do with source type", source
continue
extid = base64.decodestring(extid)
ldapinfos = [x.strip().split('=') for x in extid.split(',')]
login = ldapinfos[0][1]
firstname = login.capitalize()
surname = login.capitalize()
args = dict(eid=eid, type=type, source=source, login=login,
firstname=firstname, surname=surname, mtime=mtime,
pwd=dbhelper.binary_value(crypt_password('toto')))
print args
sql(insert, args)
sql(update, args)
commit()