You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the installation document/README just says add URLs to your Django. No issues with this part. What is not specified here is that the URL /martor/markdownify/ now becomes "public". By itself, it is not a problem. There maybe many "mitigating" circumstances such as ALBs that don't allow /martor/ URLs and such. But, if someone were to just directly deploy this without reading the code, they have unintentionally exposed an unauthenticated URL.
Either we should call it out explicitly in the README, or better yet, there should be no reason for the function markdownfy_view to not have the login_required decorator which all the other functions have.
The text was updated successfully, but these errors were encountered:
Currently the installation document/README just says add URLs to your Django. No issues with this part. What is not specified here is that the URL
/martor/markdownify/now becomes "public". By itself, it is not a problem. There maybe many "mitigating" circumstances such as ALBs that don't allow/martor/URLs and such. But, if someone were to just directly deploy this without reading the code, they have unintentionally exposed an unauthenticated URL.Either we should call it out explicitly in the README, or better yet, there should be no reason for the function
markdownfy_viewto not have thelogin_requireddecorator which all the other functions have.The text was updated successfully, but these errors were encountered: