On Dec 14, 2007 7:26 AM, Ben Hoyt <[EMAIL PROTECTED]> wrote: > Hi guys, > > We ran into a hack you could use on web.py sites under certain conditions: > web.py doesn't check that the HTTP method the user has given is a valid one, > and just goes ahead and calls it, even if it's "__doc__" or something. > > It's not normally an issue, but we have various non-HTTP-method-handler > functions in some of our web.py request classes, and other people might too, > such as "check_auth()" and whatnot. > > And sometimes we do fancy inheritance stuff with the web.py request class, > so they sub-class from some other new-style class, in which case the class > has methods like __setattr__ and stuff. Potentially dangerous. > > Anyway, long story short, we've fixed it by adding a valid_methods list to > request.py. It defaults to the list of valid HTTP methods web.py already had > in nomethod(), but a web.py user could add to that list if he wanted custom > stuff (possible, but probably a bad idea).
Thats dangerous. But isn't that the duty of webserver? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/webpy?hl=en -~----------~----~----~----~------~----~------~--~---
