Email Archive: webware-checkins (read-only)
|
[Webware-checkins] r6502 - Webware/trunk/WebKit
From: <updates@we...> - 2007-04-22 18:41
|
Author: chrisz
Date: Sun Apr 22 12:41:42 2007
New Revision: 6502
Modified:
Webware/trunk/WebKit/JSONRPCServlet.py
Log:
Make JSONRPCServlet.py less vulnerable to JavaScript hijacking by forcing POST requests (patch #1697059 by Jean-Francois Pieronne).
Modified: Webware/trunk/WebKit/JSONRPCServlet.py
==============================================================================
--- Webware/trunk/WebKit/JSONRPCServlet.py (original)
+++ Webware/trunk/WebKit/JSONRPCServlet.py Sun Apr 22 12:41:42 2007
@@ -12,8 +12,6 @@
from HTTPContent import HTTPContent
-debug = 0
-
class JSONRPCServlet(HTTPContent):
"""A superclass for Webware servlets using JSON-RPC techniques.
@@ -27,9 +25,24 @@
"""
+ # Class level variables that can be overridden by servlet instances:
+ _debug = 0 # set to True if you want to see debugging output
+ _allowGet = 0 # set to True if you want to allow GET requests
+
def __init__(self):
HTTPContent.__init__(self)
+ def respondToGet(self, transaction):
+ """Deny GET requests with JSON by returning an error.
+
+ This forces clients to use POST requests only, since GET requests
+ with JSON are vulnerable to "JavaScript hijacking".
+
+ """
+ if not self._allowGet:
+ self.error("GET method not allowed")
+ HTTPContent.respondToGet(self, transaction)
+
def defaultAction(self):
self.json_call()
@@ -62,7 +75,7 @@
'was not found' % call)
else:
try:
- if debug:
+ if self._debug:
self.log("json call %s(%s)" % (call, params))
result = method(*params)
self.write(simplejson.dumps({'id': id, 'result': result}))
|
Thread View
| Thread | Author | Date |
|---|---|---|
| [Webware-checkins] r6502 - Webware/trunk/WebKit | <updates@we...> |