-
-
Notifications
You must be signed in to change notification settings - Fork 620
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Empty Only Treated as None #772
Comments
As a coincidence, I sent PR #771 today to update the docstring. In I didn't seem like such a bad idea at first sight, but I agree it sucks if the I thinks defaulting to With this patch: - def __init__(self, only=(), exclude=(), prefix='', many=False,
+ def __init__(self, only=None, exclude=(), prefix='', many=False,
def _normalize_nested_options(self):
"""Apply then flatten nested schema options"""
- if self.only:
+ if self.only is not None:
def _update_fields(self, obj=None, many=False):
"""Update fields based on the passed in object."""
- if self.only:
+ if self.only is not None: all tests pass, including your text case above. |
@lafrech Would you like to send a PR with your fix? |
Fix #772 Empty Only Treated as None / 2.x-line
For the record, this issue was filed as CVE-2018-17175 and it was fixed in marshmallow 2.15.1. |
When the
only
parameter is an empty list/set, it causes all the fields to be de/serialized likeNone
. The implementation of 2.x and 3.0 are not in compliance with their respective docs.This could create a security vulnerability if an application was dynamically generating the field set based on security role. A filter that was meant to hide everything would inadvertently show everything.
The text was updated successfully, but these errors were encountered: