Web programming and a different "type" problem

Dave Cole djc at object-craft.com.au
Tue Apr 29 14:50:30 CEST 2003


>>>>> "Martijn" == Martijn Faassen <m.faassen at vet.uu.nl> writes:

Martijn> Doesn't jonpy allow the Evil User to manipulate the type of
Martijn> your Python variables too? The Evil User could get rid of the
Martijn> '*' in the form and submit, right? Though I grant it looks
Martijn> like the code will always fail in that case, which is
Martijn> good. It's a neat idea.

Martijn> Formulator tries quite hard to avoid the Evil User
Martijn> manipulating HTML forms problem as well, by the
Martijn> way. Validation information is not sent to the client but
Martijn> kept on the server, and requests are interpreted by it.

Albatross solves this yet another way.  As input tags are processed by
the template interpreter the form tag accumulates a summary of all the
input fields.  When the form is closed the summary is then pickled,
MD5 signed with a secret, compressed, and base64 encoded in a hidden
field.

When the browser submits a request from the form the data in the
hidden field is restored and used to interpret the rest of the
request.  This is good enough for casual use.

It can still be defeated by manually crafting a request which does not
include the hidden field.  There are simple enhancements that can be
made to the request handling which simply rejects requests which do
not contain the hidden field.

- Dave

-- 
http://www.object-craft.com.au




More information about the Python-list mailing list