[mod_python] Method POST

Graham Dumpleton graham.dumpleton at gmail.com
Sat Jan 30 20:56:21 EST 2010 

2010/1/30 Raphaël B. <nashii at gmail.com>:
> Hello,
>
> Is there any way to know if some data that are in req.form are "POST" or
> "GET" data ?
> It's better if we want to protect our form ... And I want to treat ONLY the
> POSTed data ...
>
> Can you help me ?

Use:

  if req.method == "POST" and req.args:
    ... GET style args were supplied to POST, so generate an error to forbid it

If you want to try and still allow it but treat them differently, it
gets a bit harder. This is being FieldStorage class merges GET args
into POST args.

        #### lib/python/mod_python/util.py

        # always process GET-style parameters
        if req.args:
            pairs = parse_qsl(req.args, keep_blank_values)
            for pair in pairs:
                self.add_field(pair[0], pair[1])

You would have to parse req.args yourself like above. Removing the
entries with that key may not be sufficient however in as much as the
same value could have been supplied through both GET and POST args, in
which case there will be multiple entries. Thus you would need to also
look at value of arg supplied via GET and be selective about which to
remove from overall argument set.

You could get even more tricky by using a special handler to null out
req.args prior to mod_python.publisher getting to it. Thus:

  PythonHandler mymodules.fixupargs .py
  PythonHandler mod_python.publisher .py

Where in your mymodules/fixupargs.py (installed on module path
somewhere), you have:

  from mod_python import apache

  def handler(req):
    if req.method == "POST" and req.args:
      req.args = ""
    return apache.DECLINED

Overall your goal of trying to ensure people use your form isn't going
to really work doing it this way. This is because someone could just
copy the HTML of your form to local disk on their machine, change the
form, charge the target of the form to list your site explicitly and
then still use POST. If you were going to try and be more
sophisticated you would look at the HTTP Referrer header, but even
that can be forged when using custom HTTP client.

So, what is the real issue you are trying to solve that would even
require such checks.

Graham

More information about the Mod_python mailing list