{
    "info": {
        "author": "Ulrich Petri",
        "author_email": "mail@ulo.pe",
        "bugtrack_url": null,
        "classifiers": [
            "Development Status :: 3 - Alpha",
            "Environment :: Web Environment",
            "Framework :: Django",
            "Intended Audience :: Developers",
            "License :: OSI Approved :: MIT License",
            "Operating System :: OS Independent",
            "Programming Language :: Python",
            "Programming Language :: Python :: 2.6",
            "Programming Language :: Python :: 2.7",
            "Topic :: Software Development :: Libraries"
        ],
        "description": "====================\nDjango Careful Forms\n====================\n\nDjango Careful Forms is a small extension on top of `django's Forms system`_. It\ncan help you discover potential security oversights in your forms.\n\nIt will emit warnings if there are any fields defined on forms that have not\nbeen accessed (the asumption beeing that not accessed fields will also not have\nbeen rendered in the template / displayed to the user).\n\n.. _`django's Forms system`: https://docs.djangoproject.com/en/dev/topics/forms/\n\n-------\nExample\n-------\n\nConsider the following example:\n\n.. code:: python\n\n    # models.py:\n\n    class SomeModel(models.Model):\n        name = models.CharField(max_length=100)\n        email = models.CharField(max_length=100)\n        is_admin = models.BooleanField()\n\n\n    class SomeForm(ModelForm):\n        class Meta:\n            model = SomeModel\n\n    # template:\n\n    {{ form.name }}\n    {{ form.email }}\n\n\nYou might have noticed that the model form's ``Meta`` class misses an\n``exclude`` definition for the is_admin field (assuming this is a form that is\ngoing to be displayed to an end user).\n\nNow on first glance this won't cause any problems since the template only\ndisplays the name and email field. However by forgetting to exclude the\n``is_admin`` field you are allowing users to change state internal to your\napplication (and in this hypothetical example gain admin rights).\n\nIf we changed this example to use careful-forms instead the missing field would\nhave triggerd a warning (or even an exception depending on settings, see below),\nalerting you to the vulnerability.\n\n\n----------\nMotivation\n----------\n\nThe initial motivation for this package came from the recently `well publicized\n'mass assignment' vulnerability`_ in the Rails framework. The specifics are not\nimportant but the basic problem was unchecked assignment of request data into a\nmodel.\n\nOf course django is not susceptible to this particular problem because of its\nforms system. However even when using the forms system (especially when using\nModel Forms) it is still possible to inadvertently allow request data to be\nwritten to model fields that are supposed to be private (e.g. by forgetting to\nexclude internal fields).\n\nThe final trigger however was Erik Romijn's nice talk `Building secure Django\nwebsites`_ at djangocon europe 2012 which explicitly mentions the forms pitfall\nin `slide 53ff.`_\n\n.. _`well publicized 'mass assignment' vulnerability`: https://github.com/rails/rails/issues/5228\n.. _`Building secure Django websites`: http://lanyrd.com/2012/djangocon-europe/srprk/\n.. _`slide 53ff.`: https://speakerdeck.com/u/erik/p/building-secure-django-websites?slide=53\n\n-------------\nCompatibility\n-------------\n\n* Python 2.6+\n* django 1.3+\n\n------------\nInstallation\n------------\n\nThe easy & recommended way:\n\n    #~ `pip`_ install django-careful-forms\n\n.. _`pip`: http://www.pip-installer.org/en/latest/index.html\n\n-----\nUsage\n-----\n\n#. Add ``\"careful_forms.middleware.CarefulFormsMiddlware\"`` to your projects\n   ``settings.MIDDLEWARE_CLASSES``. You should add it near the beginning of the \n   list to make sure all forms are covered.\n\n#. For every form that you want to be monitored by django-careful-forms change\n   the base class of your forms to ``careful_forms.forms.CarefulModelForm`` (or\n   ``CarefulForm`` for regular    forms) [1]_.\n\n.. [1] In case you already have a custom form base class you can also add\n   ``CarefulFormMixin`` to it.\n\nExamples:\n\n.. code:: python\n\n    class MyForm(CarefulForm):\n        # ...\n\n    class OtherForm(CarefulModelForm):\n        # ...\n\n    class YetMoreForms(CarefulFormMixin, CustomFormBaseClass):\n        # ...\n\n\n--------\nSettings\n--------\n\nCAREFUL_ENABLED\n---------------\n\nDefault: ``settings.DEBUG``\n\nThis setting is the \"main switch\" for django-careful-forms. When set to ``True``\nthe recording of accessed form fields is active and `warnings`_ will be\ntriggered for not accessed fields. Since the bookkeping machinery incurs a\n(small) per-request overhaed it is by default only enabled in ``DEBUG`` mode.\n\nWhen set to ``False`` no pre-request runtime overhead is introduced.\n\n.. _`warnings`: http://docs.python.org/library/warnings.html\n\nCAREFUL_EXCEPTION_ON_WARNING\n----------------------------\n\nDefault: ``False``\n\nWhen set to ``True`` an exception is raised instead of a warning whenever a not\naccessed field is detected.",
        "description_content_type": null,
        "docs_url": null,
        "download_url": "UNKNOWN",
        "downloads": {
            "last_day": -1,
            "last_month": -1,
            "last_week": -1
        },
        "home_page": "https://github.com/ulope/django-careful-forms",
        "keywords": null,
        "license": "MIT",
        "maintainer": null,
        "maintainer_email": null,
        "name": "django-careful-forms",
        "package_url": "https://pypi.org/project/django-careful-forms/",
        "platform": "UNKNOWN",
        "project_url": "https://pypi.org/project/django-careful-forms/",
        "project_urls": {
            "Download": "UNKNOWN",
            "Homepage": "https://github.com/ulope/django-careful-forms"
        },
        "release_url": "https://pypi.org/project/django-careful-forms/0.1/",
        "requires_dist": null,
        "requires_python": null,
        "summary": "Security minded forms extension for django",
        "version": "0.1"
    },
    "last_serial": 789242,
    "releases": {
        "0.1": [
            {
                "comment_text": "",
                "digests": {
                    "md5": "aedb05437b81c11fcc05ee506cb34e5d",
                    "sha256": "901f7ab8b3087b2dfd93e43ba7db3507c36a8f86a39918be2e87cf577f3411c5"
                },
                "downloads": -1,
                "filename": "django-careful-forms-0.1.tar.gz",
                "has_sig": false,
                "md5_digest": "aedb05437b81c11fcc05ee506cb34e5d",
                "packagetype": "sdist",
                "python_version": "source",
                "requires_python": null,
                "size": 7848,
                "upload_time": "2012-06-08T13:37:42",
                "url": "https://files.pythonhosted.org/packages/0f/f4/6a4b1826316351e10655f0843f700923225abe74ef65b84cd87a3760df5b/django-careful-forms-0.1.tar.gz"
            }
        ]
    },
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "md5": "aedb05437b81c11fcc05ee506cb34e5d",
                "sha256": "901f7ab8b3087b2dfd93e43ba7db3507c36a8f86a39918be2e87cf577f3411c5"
            },
            "downloads": -1,
            "filename": "django-careful-forms-0.1.tar.gz",
            "has_sig": false,
            "md5_digest": "aedb05437b81c11fcc05ee506cb34e5d",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": null,
            "size": 7848,
            "upload_time": "2012-06-08T13:37:42",
            "url": "https://files.pythonhosted.org/packages/0f/f4/6a4b1826316351e10655f0843f700923225abe74ef65b84cd87a3760df5b/django-careful-forms-0.1.tar.gz"
        }
    ]
}