Path: csiph.com!x330-a1.tempe.blueboxinc.net!newsfeed.hal-mli.net!feeder3.hal-mli.net!nx01.iad01.newshosting.com!newshosting.com!news2.euro.net!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.012
X-Spam-Evidence: '*H*': 0.98; '*S*': 0.00; 'unrecognized': 0.07; 'throw': 0.09; 'variables,': 0.09; '4:39': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'subject:() ': 0.16; 'subject:Filter': 0.16; 'mon,': 0.16; 'wrote:': 0.16; 'header:In-Reply-To:1': 0.22; 'systems.': 0.23; 'pm,': 0.24; 'aug': 0.24; 'ignore': 0.26; 'fine': 0.26; 'bit': 0.28; 'server': 0.29; 'message-id:@mail.gmail.com': 0.29; "won't": 0.29; 'script': 0.29; '22,': 0.30; 'integration': 0.31; 'error.': 0.32; 'there': 0.33; 'to:addr:python-list': 0.33; 'data.': 0.36; 'convenient': 0.37; 'http': 0.37; 'query': 0.37; 'but': 0.37; 'received:google.com': 0.38; 'received:209.85': 0.38; 'should': 0.38; 'subject:: ': 0.39; 'skip:\xa0 10': 0.39; 'to:addr:python.org': 0.39; "i'd": 0.40; "it's": 0.40; 'browser': 0.61; 'back': 0.62
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=2ojiHdMtQPHiPp/LiyFOL1pYAvki0k5bSf2GLzCNods=; b=AXOnsqMmnoJk/TvYa3JCuqgvIDn4cGaWygF33yzGpe3Hf3oSaJqC4wtWV5khXsDf3t 6SCfry0ypjWPELZwP3Ph/cZadJWxhLmXjX8Tc1ZhB+hFLNOoSojB4/k4FZ2kd+AXeS1S wfz+51ai8dlI0n1o/R8o65k1DlTZRZ4ZMC7hU=
MIME-Version: 1.0
In-Reply-To: <61cd88fa-1820-4667-9c01-11fc1b8b574f@glegroupsg2000goo.googlegroups.com>
References: <d71c3602-24e6-40f7-a98d-37d21ba22980@k3g2000vbz.googlegroups.com> <61cd88fa-1820-4667-9c01-11fc1b8b574f@glegroupsg2000goo.googlegroups.com>
Date: Tue, 23 Aug 2011 09:24:39 +0100
Subject: Re: CGI input: Filter dict.update() unwanted variables
From: Chris Angelico <rosuav@gmail.com>
To: python-list@python.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.339.1314087882.27778.python-list@python.org>
Lines: 16
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1314087882 news.xs4all.nl 23886 [2001:888:2000:d::a6]:60493
X-Complaints-To: abuse@xs4all.nl
Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:12066

On Mon, Aug 22, 2011 at 4:39 PM, Miki Tebeka <miki.tebeka@gmail.com> wrote:
> You can check if there is a "non-allowed variable" and then return HTTP e=
rror.
> if set(form) - set(allowedVariables):
> =A0 =A0print('Status: 406\n\n')
> =A0 =A0raise SystemExit()
>

I'd be disinclined to do this; ignore unrecognized query variables,
but don't throw back an error. Sometimes it's convenient to let the
browser send a "junk header" that the server will ignore - helps with
integration with other systems. As long as you can be sure that the
script won't do the wrong thing, it should be fine to have an extra
bit of GET/POST data.

ChrisA