diff -Naur marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba/marshmallow/schema.py marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba.cve-2018-17175/marshmallow/schema.py
--- marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba/marshmallow/schema.py 2015-08-23 17:31:05.000000000 +0200
+++ marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba.cve-2018-17175/marshmallow/schema.py 2018-09-21 14:40:18.997634163 +0200
@@ -339,7 +339,7 @@
"""
pass
- def __init__(self, extra=None, only=(), exclude=(), prefix='', strict=False,
+ def __init__(self, extra=None, only=None, exclude=(), prefix='', strict=False,
many=False, context=None, load_only=(), dump_only=()):
# copy declared fields from metaclass
self.declared_fields = copy.deepcopy(self._declared_fields)
@@ -668,7 +668,7 @@
def _update_fields(self, obj=None, many=False):
"""Update fields based on the passed in object."""
- if self.only:
+ if self.only is not None:
# Return only fields specified in fields option
field_names = self.set_class(self.only)
elif self.opts.fields:
diff -Naur marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba/tests/test_schema.py marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba.cve-2018-17175/tests/test_schema.py
--- marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba/tests/test_schema.py 2015-08-23 17:31:05.000000000 +0200
+++ marshmallow-a8b33850c74975250fa81308ce3aa4868128d3ba.cve-2018-17175/tests/test_schema.py 2018-09-21 14:37:04.100516852 +0200
@@ -1284,6 +1284,12 @@
}
assert errors == expected
+def test_only_empty():
+ class MySchema(Schema):
+ foo = fields.Field()
+
+ sch = MySchema(only=())
+ assert 'foo' not in sch.dump({'foo': 'bar'})
class TestPreprocessors: