khanh.pndc/odoo-docs
1
0
Fork 0
mirror of https://github.com/odoo/documentation.git synced 2026-01-02 17:59:20 +07:00
Code Issues Packages Projects Releases Wiki Activity

[ADD] Security pitfall: http request

Browse Source
This commit is contained in:
Florian Vranckx
2022-09-15 16:41:14 +02:00
parent 79e58e3db1
commit a33970fb1d
1 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
content/developer/reference/backend/security.rst
View File

@@ -481,3 +481,17 @@ field value can be easily achieved safely:
The above method is obviously still too optimistic and additional verifications
on the record id and field value must be done.
Http Request
---------------------------
Some may need to make an HTTP request directly from python, it is require to follow some best practices
**Injectable domain**
Care must be taken while manipulating the domain name of the request, the domain should never depend on user input.
If the domain can be changed by the user, a malicious user could use the server running the code to send multiple requests to a chosen target.
This is known as a reflective-DDOS attack, where one can overload a target without sending the packet himself.
**URL path/query Injectable**