New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Empty Only Treated as None #772
Comments
|
As a coincidence, I sent PR #771 today to update the docstring. In I didn't seem like such a bad idea at first sight, but I agree it sucks if the I thinks defaulting to With this patch: - def __init__(self, only=(), exclude=(), prefix='', many=False,
+ def __init__(self, only=None, exclude=(), prefix='', many=False,
def _normalize_nested_options(self):
"""Apply then flatten nested schema options"""
- if self.only:
+ if self.only is not None:
def _update_fields(self, obj=None, many=False):
"""Update fields based on the passed in object."""
- if self.only:
+ if self.only is not None:all tests pass, including your text case above. |
|
@lafrech Would you like to send a PR with your fix? |
Fix #772 Empty Only Treated as None / 2.x-line
|
For the record, this issue was filed as CVE-2018-17175 and it was fixed in marshmallow 2.15.1. |
When the
onlyparameter is an empty list/set, it causes all the fields to be de/serialized likeNone. The implementation of 2.x and 3.0 are not in compliance with their respective docs.This could create a security vulnerability if an application was dynamically generating the field set based on security role. A filter that was meant to hide everything would inadvertently show everything.
The text was updated successfully, but these errors were encountered: