[mod_python] Questions on _call_ with mp servlets and python

Jim Dabell jim-mod-python at jimdabell.com
Fri Sep 3 22:09:52 EDT 2004


On Friday 03 September 2004 20:35, David Fraser wrote:
> This is security by obscurity. I would think making sure the values
> passed into a function are safe is more important. The danger of
> security by obscurity is it misleads you into not doing this kind of
> checking...
> I *love* being able to pass GET variables into functions in other
> peoples programs ... it means web programs are easier to interact with.
> Just this week I wrote a script to search for flights on top of an
> airline's website ... it saved me a lot of time

Actually, there is a security aspect to removing the ability to use query 
string parameters in place of POST variables.  An attacker who can induce 
somebody to visit a page they created can cause the user to automatically 
call these functions by simply using something like:

<img src="http://www.example.com/script?deletesomething=true">

As it will be the user who is executing this function, the only clue you have 
to "making sure the values passed into a function are safe" is that it was 
submitted via query string parameters and not POST variables.

If you don't use the query string parameters when you are expecting POST 
variables, then your users are not susceptible to this form of attack.

-- 
Jim Dabell



More information about the Mod_python mailing list