Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #12033 > unrolled thread
| Started by | Gnarlodious <gnarlodious@gmail.com> |
|---|---|
| First post | 2011-08-22 08:28 -0700 |
| Last post | 2011-08-23 09:24 +0100 |
| Articles | 4 — 3 participants |
Back to article view | Back to comp.lang.python
CGI input: Filter dict.update() unwanted variables Gnarlodious <gnarlodious@gmail.com> - 2011-08-22 08:28 -0700
Re: CGI input: Filter dict.update() unwanted variables Miki Tebeka <miki.tebeka@gmail.com> - 2011-08-22 08:39 -0700
Re: CGI input: Filter dict.update() unwanted variables Gnarlodious <gnarlodious@gmail.com> - 2011-08-22 21:12 -0700
Re: CGI input: Filter dict.update() unwanted variables Chris Angelico <rosuav@gmail.com> - 2011-08-23 09:24 +0100
| From | Gnarlodious <gnarlodious@gmail.com> |
|---|---|
| Date | 2011-08-22 08:28 -0700 |
| Subject | CGI input: Filter dict.update() unwanted variables |
| Message-ID | <d71c3602-24e6-40f7-a98d-37d21ba22980@k3g2000vbz.googlegroups.com> |
In my last post I learned of the necessity of filtering CGI input, so
what I want to do is set a dict of allowable variable names:
allowedVariables = {'eeny':None, 'meeny':None, 'miny':None, 'mo':None}
# Set up a FieldStorage object:
import cgi
inputVariables = cgi.FieldStorage()
for name, value in {"eeny" : "value1", "meeny" : "value2", "miny" :
"value3", "mofo" : "value4"}.items():
inputVariables.list.append(cgi.MiniFieldStorage(name, value))
allowedVariables.update(((key, inputVariables[key].value) for key in
inputVariables))
allowedVariables
As you can see, the variable 'mofo' gets added to allowedVariables,
which is normal behavior. Is there an easy way to limit updates to
ONLY variables in the allowedVariables dict?
And in addition, maybe return an error so the attacker can be blocked?
-- Gnarlie
[toc] | [next] | [standalone]
| From | Miki Tebeka <miki.tebeka@gmail.com> |
|---|---|
| Date | 2011-08-22 08:39 -0700 |
| Message-ID | <61cd88fa-1820-4667-9c01-11fc1b8b574f@glegroupsg2000goo.googlegroups.com> |
| In reply to | #12033 |
> Is there an easy way to limit updates to
> ONLY variables in the allowedVariables dict?
allowedVariables = ['eeny', 'meeny', 'miny', 'mo']
form = cgi.FieldStorage()
safe_input = dict((key, form.getvalue(key)) for key in allowedVariables)
> And in addition, maybe return an error so the attacker can be blocked?
You can check if there is a "non-allowed variable" and then return HTTP error.
if set(form) - set(allowedVariables):
print('Status: 406\n\n')
raise SystemExit()
HTH
--
Miki Tebeka <miki.tebeka@gmail.com>
http://pythonwise.blogspot.com
[toc] | [prev] | [next] | [standalone]
| From | Gnarlodious <gnarlodious@gmail.com> |
|---|---|
| Date | 2011-08-22 21:12 -0700 |
| Message-ID | <857a0816-108a-4add-b71f-d41593d2e83a@n35g2000yqf.googlegroups.com> |
| In reply to | #12034 |
On Aug 22, 9:39 am, Miki Tebeka wrote: > HTH Yes it helps, thank you! -- Gnarlie http://Gnarlodious.com
[toc] | [prev] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2011-08-23 09:24 +0100 |
| Message-ID | <mailman.339.1314087882.27778.python-list@python.org> |
| In reply to | #12034 |
On Mon, Aug 22, 2011 at 4:39 PM, Miki Tebeka <miki.tebeka@gmail.com> wrote:
> You can check if there is a "non-allowed variable" and then return HTTP error.
> if set(form) - set(allowedVariables):
> print('Status: 406\n\n')
> raise SystemExit()
>
I'd be disinclined to do this; ignore unrecognized query variables,
but don't throw back an error. Sometimes it's convenient to let the
browser send a "junk header" that the server will ignore - helps with
integration with other systems. As long as you can be sure that the
script won't do the wrong thing, it should be fine to have an extra
bit of GET/POST data.
ChrisA
[toc] | [prev] | [standalone]
Back to top | Article view | comp.lang.python
csiph-web