[mod_python] Questions on _call_ with mp servlets and python

Daniel Popowich dpopowich at comcast.net
Fri Sep 3 18:38:30 EDT 2004 

> This is security by obscurity. I would think making sure the values 
> passed into a function are safe is more important. The danger of 
> security by obscurity is it misleads you into not doing this kind of 
> checking...

I fear I was not clear.  I should never have used the word "secure."

It should be understood that there is no difference, security-wise,
between POST and GET.  One is no more secure than the other.  Every
request, regardless of POST or GET should be validated before
processing. 

My decision that mpservlets should not process "_call_" methods for
the GET method was simply to obscure python code.  I did not want
users of a browser to something like this in their url:

   http://somehost.org/some/action?_call_get_user_info%28bob%29=Submit

IMHO, this is just begging for attention.

Anyway, I can see that some developers will want something like that
and so I will add allowing it by setting an attribute to True.

I'm keeping a list of feature requests and will be getting another
release out this fall.


Daniel Popowich
-----------------------------------------------
http://home.comcast.net/~d.popowich/mpservlets/

More information about the Mod_python mailing list