[mod_python] Filtering POST requests (req.read ())

Chris Jackson christopher.jackson at gmail.com
Tue Feb 15 10:30:49 EST 2005

One side suggestion would also be to use req.form , like so:

my_list_of_special_field_names = ['special1', 'special2', 'special3']
for special in my_list_of_special_field_names:
    if special in req.form:
        return apache.HTTP_FORBIDDEN

req.form holds all fields whether it's from POST or GET.

If you're looking to see if certain values of the fields are
forbidden, you can always do:

if req.form.has_key("forbidden_value"):  # etc, etc.

I'm unsure if this helps you any, but I figured I'd post it anyway.

~= Chris =~

On Tue, 15 Feb 2005 16:30:31 +0200, Vladimir Petrovic
<vladap at criticalpublics.com> wrote:
> In my setup, apache is acting like a reverse proxy to the application server
> (Zope). The setup uses proxy rewrite rules. I would like to setup a modpython
> handler which will inspect all POST requests and it will block the request if
> some special field names are used.
> I've setup PythonPostReadRequestHandler
> with the following code:
> fs = util.FieldStorage (req)
> for k in fs.keys ():
>   if not check_field_name (k): return apache.HTTP_FORBIDDEN
> return apache.OK
> If the POST request contain an invalid field apache returns FORBIDDEN error as
> it should. But if the request doesn't contain invalid field names, then the
> request is "blocked", the client doesn't get any reply. The same happens if I
> just call req.read () inside the handler.
> It seems that calls to req.read () inside FieldStorage use all request data
> that client sends, and after the handler returns the request gets blocked. Is
> there a way to solve this problem or is there an alternative way to inspect
> POST data ?
> thank you,
> Vladimir
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python

More information about the Mod_python mailing list