[mod_python] psp import issue

Graham Dumpleton graham.dumpleton at gmail.com
Fri Jun 22 03:03:05 EDT 2007


On 22/06/07, maker joe <makerjoe at gmail.com> wrote:
> hi graham
>
> there is a mistake on
> locals()["_%s"+%k] = req.form[k]
>
> should be
> locals()["_%s"+k] = req.form[k]

Actually, it should have been:

  locals()["_%s"%k] = req.form[k]

as was trying to use mod operator on the string in preference to
addition of string so that auto conversion of string would happen.

Did this as for some reason, maybe old versions of mod_python, I have
see a None key come through. If this did occur the addition of strings
would fail as adding string with None, where as mod operator would
have converted None object to None value in string and not died. Yes
it could wipe out other field if one was called None, so by rights if
this is still an issue should use:

  if k:
    locals()["_%s"%k] = req.form[k]

Graham

> kind regards
> joseluis
>
> On 6/21/07, Graham Dumpleton <graham.dumpleton at gmail.com> wrote:
> > On 22/06/07, maker joe <makerjoe at gmail.com> wrote:
> > > sure you convinced me
> > >
> > > but why not ?
> > >     for k in req.form:
> > >         exec ("_"+k+"="+"req.form[k]")
> > >         print k,_test
> >
> > Using a prefix is one way of avoiding the problem, but don't use exec
> > as there is no need to. Use:
> >
> >   locals()["_%s"+%k] = req.form[k]
> >
> > Graham
> >
> > > On 6/21/07, Graham Dumpleton <graham.dumpleton at gmail.com> wrote:
> > > > On 22/06/07, Graham Dumpleton <graham.dumpleton at gmail.com> wrote:
> > > > > > and
> > > > > > req.form['varx']  by _varx
> > > > >
> > > > > Don't recommend pushing form fields in local name space as doesn't
> > > > > make it as obvious that it is a form field and there would be a
> > > > > tendency not to perform checks to make sure the field you are looking
> > > > > for actually exists. Also, it will all possibly blow up if someone
> > > > > supplied a field you weren't expecting which replaced some important
> > > > > data or clashed with a keyword.
> > > > >
> > > > > If you really must do something like that though, you might adapt the
> > > > > following code from mod_python.util.apply_fs_data(). Replace 'fs' with
> > > > > req.form and replace args with locals().
> > > > >
> > > > >     # add form data to args
> > > > >     for field in fs.list:
> > > > >         if field.filename:
> > > > >             val = field
> > > > >         else:
> > > > >             val = field.value
> > > > >         args.setdefault(field.name, []).append(val)
> > > > >
> > > > >     # replace lists with single values
> > > > >     for arg in args:
> > > > >         if ((type(args[arg]) is ListType) and
> > > > >             (len(args[arg]) == 1)):
> > > > >             args[arg] = args[arg][0]
> > > >
> > > > BTW, if using publisher, a quicker way of doing this would be:
> > > >
> > > >   def func(req, arg1, args, **args):
> > > >     locals().update(args)
> > > >     ...
> > > >
> > > > As I said though, this is dangerous as someone outside your web site
> > > > can directly modify data your function uses to execute or cause your
> > > > handler to crash in bad ways.
> > > >
> > > > For example, with publisher function:
> > > >
> > > >   def index(req, **args):
> > > >     locals().update(args)
> > > >     req.content_type = 'text/plain'
> > > >     return 'mod_python.publisher', req.filename
> > > >
> > > > If URL of:
> > > >
> > > >   http://localhost:8002/~grahamd/publisher/index.py?req=xxx
> > > >
> > > > is used, I get an error saying:
> > > >
> > > >   AttributeError: 'mp_request' object has no attribute 'append'
> > > >
> > > > This is because I was able to replace the request object argument with
> > > > another value.
> > > >
> > > > Same problem will occur if using the longer example I showed before.
> > > >
> > > > Hopefully you will now be convinced this is a bad bad idea.
> > > >
> > > > Graham
> > > >
> > >
> >
>


More information about the Mod_python mailing list