[mod_python] Questions on _call_ with mp servlets and python

David Fraser davidf at sjsoft.com
Fri Sep 3 22:35:27 EDT 2004


Daniel Popowich wrote:

>Vinj Vinj writes:
>
>  
>
>>...I'm trying to use _call_ but have some questions suggestions. My
>>site has a yahoo like interface which has a lot of links which
>>perform actions. These actions(links) go thorugh http get.
>>
>>I changed the repsond so that the servlet looks for the _call_ form
>>variable function gets called even if it comes from a get request.
>>
>>    
>>
>
>I restricted the use of the _call_ mechanism to POSTs for security
>reasons.  Granted, POSTs are no more secure than GETs, but at least
>with POSTs you don't see the data in the URL, staring you in the
>face.  And the thought calls to methods visible in the browser url
>window didn't thrill me.  I've considered adding an attribute to
>Servlet, say, allow_call_with_get, defaulting to false; then a
>developer can set it to true if they really want to allow this
>feature.  One benefit with this attribute: you can turn it on and off
>per servlet instead of globally across all servlets.
>
>Another thing you can do, to obfuscate the url string so it's not so
>obvious a method is being called: change the value of METHODCALL at
>the top of servlet.py.  This is probably another candidate for
>turning into an attribute of Servlet.
>  
>
This is security by obscurity. I would think making sure the values 
passed into a function are safe is more important. The danger of 
security by obscurity is it misleads you into not doing this kind of 
checking...
I *love* being able to pass GET variables into functions in other 
peoples programs ... it means web programs are easier to interact with.
Just this week I wrote a script to search for flights on top of an 
airline's website ... it saved me a lot of time

David



More information about the Mod_python mailing list