Hi guys,
We ran into a hack you could use on web.py sites under certain conditions:
web.py doesn't check that the HTTP method the user has given is a valid one,
and just goes ahead and calls it, even if it's "__doc__" or something.
It's not normally an issue, but we have various non-HTTP-method-handler
functions in some of our web.py request classes, and other people might too,
such as "check_auth()" and whatnot.
And sometimes we do fancy inheritance stuff with the web.py request class,
so they sub-class from some other new-style class, in which case the class
has methods like __setattr__ and stuff. Potentially dangerous.
Anyway, long story short, we've fixed it by adding a valid_methods list to
request.py. It defaults to the list of valid HTTP methods web.py already had
in nomethod(), but a web.py user could add to that list if he wanted custom
stuff (possible, but probably a bad idea).
So we have something like:
-----------
valid_methods = ['GET', 'HEAD', 'POST', 'PUT', 'DELETE']
def handle(mapping, fvars=None):
...
if meth not in valid_methods or not hasattr(cls, meth):
return nomethod(cls)
...
def nomethod(cls):
...
web.header('Allow', ', '.join([method for method in valid_methods
if hasattr(cls, method)]))
-----------
And here's the little Python script I used to test sending crazy methods:
-----------
import httplib
host = 'some-webpy-site.com'
url = '/'
method = '__doc__'
print host, method, url
h = httplib.HTTPConnection(host)
h.request(method, url, headers={'Host': host})
r = h.getresponse()
d = r.read()
print r.status, r.reason
for k, v in r.getheaders():
print '%s: %s' % (k, v)
print '-----'
print 'len(data) =', len(d)
print d[:500]
-----------
Cheers,
Ben.
--
Ben Hoyt, http://benhoyt.com/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web.py" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/webpy?hl=en
-~----------~----~----~----~------~----~------~--~---
