Webware for Python

On Wednesday 26 December 2001 09:56 am, Mike Orr wrote:
> Is this a bug or a feature?  Arguably it's what ExtraPathInfo is
> "supposed" to do, but it *is* surprising, since I wouldn't expect
> index.py to be silently inserted in the middle of a URL.  If it is
> a feature, I'll just document it in the Troubleshooting section of
> the Wiki.

I believe this has been discussed before and was considered a feature.


> What options are there for protecting servlets from this abuse?
>  Besides turning off ExtraPathInfo, I mean, since I may want it for
> another portion of the site.  The only things I can think of are:
>         1) have every servlet display an error if extra path info !=
> ''.  

Maybe that wouldn't be too hard since you could put this in your 
SitePage.


>         2) don't worry, be happy.  But any relative links on such a
> page will contain that path junk and so will loop back to that page.
>  (Echoes of the Twilight Zone's "Judgement Day" episode...)

Hey, that's always good advice.  ;-)


And I guess the ultimate solution as usual, is "url decoding" hooks in 
WebKit so you can do whatever you like.


-Chuck

On Thu, Dec 27, 2001 at 10:13:07AM -0800, Chuck Esterbrook wrote:
> On Wednesday 26 December 2001 09:56 am, Mike Orr wrote:
> > Is this a bug or a feature? ?Arguably it's what ExtraPathInfo is
> > "supposed" to do, but it *is* surprising, since I wouldn't expect
> > index.py to be silently inserted in the middle of a URL. ?If it is
> > a feature, I'll just document it in the Troubleshooting section of
> > the Wiki.
> 
> I believe this has been discussed before and was considered a feature.
> 
> 
> > What options are there for protecting servlets from this abuse?
> > ?Besides turning off ExtraPathInfo, I mean, since I may want it for
> > another portion of the site. ?The only things I can think of are:
> > ????????1) have every servlet display an error if extra path info !=
> > ''. ?
> 
> Maybe that wouldn't be too hard since you could put this in your 
> SitePage.

Hmm, it would have to be someplace where it could be overridden, for the
servlets that do use ExtraPathInfo.

> > ????????2) don't worry, be happy. ?But any relative links on such a
> > page will contain that path junk and so will loop back to that page.
> > ?(Echoes of the Twilight Zone's "Judgement Day" episode...)
> 
> Hey, that's always good advice.  ;-)
> 
> 
> And I guess the ultimate solution as usual, is "url decoding" hooks in 
> WebKit so you can do whatever you like.

What do you mean by "url decoding" hooks?

-- 
-Mike (Iron) Orr, iron@...  (if mail problems: mso@...)
   http://iron.cx/     English * Esperanto * Russkiy * Deutsch * Espan~ol

On Thursday 27 December 2001 11:19 am, Mike Orr wrote:
> On Thu, Dec 27, 2001 at 10:13:07AM -0800, Chuck Esterbrook wrote:
> > Maybe that wouldn't be too hard since you could put this in your
> > SitePage.
>
> Hmm, it would have to be someplace where it could be overridden, for
> the servlets that do use ExtraPathInfo.

Right. Perhaps awake() invokes self.examineExtraPath() info which is 
implemented as "pass" for those servlets that don't like it. (Or you 
could go the other direction.) You could even use a mix-in although it 
wouldn't save you that much typing.


> > > ????????2) don't worry, be happy. ?But any relative links on such
> > > a page will contain that path junk and so will loop back to that
> > > page. ?(Echoes of the Twilight Zone's "Judgement Day" episode...)
> >
> > Hey, that's always good advice.  ;-)
> >
> >
> > And I guess the ultimate solution as usual, is "url decoding" hooks
> > in WebKit so you can do whatever you like.
>
> What do you mean by "url decoding" hooks?

Unless I've gone crazy, I think that revamping the mapping process of 
URLs to Servlets is on the list of future enhancements with 
ease-of-customization a high priority. That would imply you could tweak 
this behavior to your desire.


-Chuck

On Thursday 27 December 2001 11:19 am, Mike Orr wrote:
> > And I guess the ultimate solution as usual, is "url decoding" hooks
> > in WebKit so you can do whatever you like.
>
> What do you mean by "url decoding" hooks?

Unless I've gone crazy, I think that revamping the mapping process of 
URLs to Servlets is on the list of future enhancements with 
ease-of-customization a high priority. That would imply you could tweak 
this behavior to your desire.

-Chuck