{"html_url": "https://github.com/simonw/datasette/issues/842#issuecomment-650648434", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/842", "id": 650648434, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MDY0ODQzNA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-27T23:27:35Z", "updated_at": "2020-06-27T23:37:38Z", "author_association": "OWNER", "body": "I'm going to rename `_request_X` to `_header_X` as that better reflects what it now does.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 638212085, "label": "Magic parameters for canned queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/842#issuecomment-650593122", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/842", "id": 650593122, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MDU5MzEyMg==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-27T18:03:02Z", "updated_at": "2020-06-27T18:03:10Z", "author_association": "OWNER", "body": "> Security thought: make sure it's not possible to accidentally open up a security hole where an attacker can send a GET request that causes the magic parameter `_cookie_ds_actor` to be resolved and returned as JSON data that the attacker can see.\r\n\r\nThis is an open security hole in https://github.com/simonw/datasette/commit/94c1315f0030fd58ce46a9294052c5c9d9d181c7 - it's useful for testing, but I need to remove it before I land that branch.\r\n\r\nhttps://github.com/simonw/datasette/blob/94c1315f0030fd58ce46a9294052c5c9d9d181c7/datasette/views/database.py#L231-L237\r\n", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 638212085, "label": "Magic parameters for canned queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/842#issuecomment-650458857", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/842", "id": 650458857, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MDQ1ODg1Nw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-27T00:11:04Z", "updated_at": "2020-06-27T00:11:04Z", "author_association": "OWNER", "body": "Security thought: make sure it's not possible to accidentally open up a security hole where an attacker can send a GET request that causes the magic parameter `_cookie_ds_actor` to be resolved and returned as JSON data that the attacker can see.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 638212085, "label": "Magic parameters for canned queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/842#issuecomment-650455793", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/842", "id": 650455793, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MDQ1NTc5Mw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-26T23:57:30Z", "updated_at": "2020-06-27T00:00:16Z", "author_association": "OWNER", "body": "Maybe I should ship a default `_scope_headers_...` parameter instead, which reads from a dictionary of `scope[\"headers\"]` - https://asgi-scope.now.sh/ shows what those look like.\r\n\r\n```\r\n{'client': ('148.64.98.14', 0),\r\n 'headers': [[b'host', b'asgi-scope.now.sh'],\r\n             [b'x-forwarded-for', b'148.64.98.14'],\r\n             [b'x-vercel-id', b'sw72x-1593215573008-024e4e603806'],\r\n             [b'x-forwarded-host', b'asgi-scope.now.sh'],\r\n             [b'accept',\r\n              b'text/html,application/xhtml+xml,application/xml;q=0.9,image/'\r\n              b'webp,*/*;q=0.8'],\r\n             [b'x-real-ip', b'148.64.98.14'],\r\n             [b'x-vercel-deployment-url', b'asgi-scope-9eyeojbek.now.sh'],\r\n             [b'upgrade-insecure-requests', b'1'],\r\n             [b'x-vercel-trace', b'sfo1'],\r\n             [b'x-forwarded-proto', b'https'],\r\n             [b'accept-language', b'en-US,en;q=0.5'],\r\n             [b'user-agent',\r\n              b'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko'\r\n              b'/20100101 Firefox/77.0'],\r\n             [b'x-vercel-forwarded-for', b'148.64.98.14'],\r\n             [b'accept-encoding', b'gzip, deflate, br'],\r\n             [b'dnt', b'1'],\r\n             [b'te', b'trailers']],\r\n 'http_version': '1.1',\r\n 'method': 'GET',\r\n 'path': '/',\r\n 'query_string': b'',\r\n 'raw_path': b'/',\r\n 'root_path': '',\r\n 'scheme': 'https',\r\n 'server': ('asgi-scope.now.sh', 80),\r\n 'type': 'http'}\r\n```\r\n\r\nI'm going to have `_request_X` actually mean \"find the first value for X in `scope[\"headers\"`]\" - with underscores converted to hyphens.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 638212085, "label": "Magic parameters for canned queries"}, "performed_via_github_app": null}