[mod_python] Vampire/mod_python determining type of argument - GET/POST

Deron Meranda deron.meranda at gmail.com
Tue Nov 29 17:06:17 EST 2005 

On 11/29/05, Jim Gallacher <jpg at jgassociates.ca> wrote:
> However, most browsers IIRC will only submit a form using POST or GET.

Yes, if it's a browser, and if it's a <form>.  But the server doesn't
know for sure where it came from, it might not be a browser.
You should still always check if you want to be safe.


Anyway, looking at things closer.  You determine the type of request
via the req.method which can be about anything "GET","POST","PUT",
"DELETE",...

"Arguments" can be decoded anyway you want.  There are
expected conventions though, and this is what mod_python's
FieldStorage class attempts to do (you don't have to use
FieldStorage though, which I don't for example when I handle
PUT requests).

In mod_python the rules seem to be:

  1. Regardless of method, decode arguments from the request URL (the ?-part)
  AND
  2. If method is POST:
     2a. If Content-Type is 'application/x-www.form-urlencoded':
           URL-decode *additional* arguments from request body
     2b. If Content-Type is 'multipart/form-data':
           decode one-level of the multipart mime message and
           each part becomes an *additional* argument

The standard cgi module's rules are little different though--
from what I can tell:

   1. If the method is either GET or HEAD, decode arguments from
       the request URL, if any.
   OR
   2. For any other method:
      2a.If Content-Type is 'application/x-www-form-urlencode':
           URL-decode arguments from the request body
      2b. If Content-Type is any 'multpart/*':
            docode the multipart mime message and each part
            becomes an argument.

So with the standard cgi, you can never get a combination
of arguments that come from both the URL and the content
body.  But with mod_python, you can.


> If you use <form method="PUT">, the browser will still use a POST.

This is IMHO a browser bug.  If it doesn't support the method then
it should not submit anything.  But from what I can tell most browsers
will treat anything other than GET or POST as if it were a GET
(at least Firefox).  urllib2 likewise not useful for anything other
than gets or posts.

But if you use Python's httplib, you can specify any method you
want.  Other "tools" such as wget and curl also allow you to
specify other methods.


Anyway, if it is important to tell where arguments came from,
perhaps the FieldStorage and related classes could be updated
to track an additional attribute, perhaps called "source"?  And
it could either be "url" or "content".  This wouldn't be a very
challenging patch.

But, off course, this would be adding functionality that's not in the
standard cgi module's FieldStorage classes, so I don't know if
that's where we want mod_python to go.  But the standard cgi
module don't mix sources anyway, so it's not an issue for them.
--
Deron Meranda

More information about the Mod_python mailing list