[mod_python] Method POST

Raphaël B. nashii at gmail.com
Sat Jan 30 19:52:01 EST 2010 

Yeah I know that, but in PHP, for instance, we can authentificate a form a
little bit by checking the referrent uri and the $_POST variable :)

I just want to do the same.

So, I have made this method:

def getPostData(req):
>     if req.method.upper() != 'POST': return {}
>     else:
>         posted = dict(util.FieldStorage(req, keep_blank_values=1))
>         if posted and req.args:
>             query_args = re.findall('(?i)(?:&|^)(.*?)=.*?', req.args)
>             for query_arg in query_args:
>                 if query_arg in posted.keys():
>                     if type(posted[query_arg]) == list:
>                         posted[query_arg].pop(0)
>                         if len(posted[query_arg]) == 1: posted[query_arg] =
> posted[query_arg][0]
>                     else: del posted[query_arg]
>         return posted
>
> req.post = dict(getPostData(req))
>

So, req.post contains only the data that were POSTed.

You can after that verify the Referrer with something like:

> if not 'Referer' in req.headers_in.keys() or not
> re.search('^https?://'+req.hostname+'/$', req.headers_in['Referer'])
>
You must change the end of the regex if you want to be able to have a
referer that is not only the domain, this line is for my proper use ;)

Have a nice night :p
Raphaël

Le 30 janvier 2010 20:04, Clodoaldo Neto <clodoaldo.pinto at gmail.com> a écrit
:

> 2010/1/30 Raphaël B. <nashii at gmail.com>:
> > 2010/1/30 Eric Strand <estrand at isomedia.com>
> >>
> >> Check out the "method" member of the request object documented here:
> >>
> >> http://www.modpython.org/live/current/doc-html/pyapi-mprequest-mem.html
> >>
> >> --Eric
> >
> > It works if we want to know the global method to load the webpage, but
> not
> > to know which field is "posted" and which other is "getted" !
> > I would like to split the two kinds of submissions ! Is this possible ?
> >
> > Thanks for your answer ;)
> >
> > Le 30 janvier 2010 02:29, Clodoaldo Neto <clodoaldo.pinto at gmail.com> a
> écrit
> > :
> >>
> >> What do you mean by "protect our form"? Although it takes more work to
> >> fake a posted form than to fake a geted form it is not worth to even
> >> think about it in terms of security. It is much saner to just to use
> >> the post/get semantics: if it will not change the state of the
> >> universe then it is a get, otherwise it is a post.
> >>
> >> Regards, Clodoaldo
> >
> > If it's not really a "protection", it's a way to be sure that the form
> was
> > submitted by the right way, and I prefer. In fact, I would like to be
> sure
> > that all of the data that are obtained are from my form !
>
> There is no way to be sure about that. Even if you authenticate the
> user you can't "authenticate" the form because submitted data is the
> only thing you will get, not the original form. And all the hidden
> fields you send the client can just submit then back.
>
> It sounds like you want to avoid the server side sanitation and
> checking code and you can't avoid it. The client side code is just a
> user convenience and everything will have to be rewritten server side.
>
> Clodoaldo
>
> >
> > Regards,
> > Raphaël
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mm_cfg_has_not_been_edited_to_set_host_domains/pipermail/mod_python/attachments/20100131/1007dc81/attachment.html

More information about the Mod_python mailing list