[mod_python] [patch] vampire 1.1 remove unknown query variables

Johannes Erdfelt johannes at erdfelt.com
Tue Oct 19 16:56:50 EDT 2004 

I've been using vampire the last couple of days and I like it, but it
has some problems some code I originally wrote didn't have.

This patch fixes a problem where unknown query variables (form
variables) could cause an internal server error.

Generally, this shouldn't happen and on a well designed site, it's the
users error for causing this to occur, but it causes some undue alarm
when looking at the logs, so I wrote up this patch to remove unknown
query variables before applying it to the called handler.

It also prints out an error message if variables are required by the
handler, but aren't given by the client (it doesn't have a default)

It applies to vampire 1.1

JE

diff -ur vampire-1.1-20041009.orig/packages/vampire/apache.py vampire-1.1-20041009/packages/vampire/apache.py
--- vampire-1.1-20041009.orig/packages/vampire/apache.py	2004-10-08 18:31:50.000000000 -0700
+++ vampire-1.1-20041009/packages/vampire/apache.py	2004-10-19 13:55:48.000000000 -0700
@@ -171,4 +171,40 @@
 
   # Execute the content handler.
 
-  return apply(function,(req,),args)
+  # Match up the arguments given by the client to the expected arguments
+  # from the method. We only remove non expected names and don't check for
+  # expected because the argument may have a default if not set. We use
+  # exceptions to catch the case where an argument does not have a default.
+  fc = function.func_code
+  expected = fc.co_varnames[0:fc.co_argcount]
+ 
+  # Silently remove any unexpected arguments if we need to
+  if not fc.co_flags & 0x000C:  # CO_VARARGS | CO_VARKEYWORDS
+    for name in args.keys():
+      if name not in expected:
+        del args[name]
+
+  try:
+    return apply(function,(req,),args)
+  except TypeError, vars:
+    missing = []
+
+    # Don't worry about the arguments with defaults
+    argcount = fc.co_argcount
+    if function.func_defaults:
+      argcount = argcount - len(function.func_defaults)
+    # Skip the first argument, which is the req
+    for name in fc.co_varnames[1:argcount]:
+      if name not in args:
+        missing.append(name)
+
+    if not len(missing):
+      raise
+
+    # We definately had some missing variables, let's let the user know
+    req.content_type = "text/plain"
+    req.status = apache.HTTP_INTERNAL_SERVER_ERROR
+    req.send_http_header()
+    req.write("Call is missing these variables: %s\n" % ", ".join(missing))
+
+    return apache.OK

More information about the Mod_python mailing list