Security vulnerability #92
Comments
|
How would this be exploited? |
|
Note that the HTTP request method (GET,POST) and the location of request parameters (query string, request body) are different concepts. Because Tornado dispatches to different handler methods for each HTTP request method, there is no danger of an application confusing a GET request as a POST request or vice versa. |
|
Although try a POST request with a query string attached to it. Both will still be on the argument list. |
|
Yes, that is by design. Most applications don't need to distinguish between parameters in the query string and the request body. |
|
Yeah, the use of different methods (RequestHandler.get vs RequestHandler.post) addresses most of the get-vs-post issues. It's true that for POSTs Tornado masks the distinction between parameters in the url and those in the body, but I can't think of a scenario in which an attacker could modify the url without also being able to modify the body. I'm going to close this bug, but please re-open it if there is some specific way in which this behavior could be abused. |
I was attempting to write my own authentication with tornado, but I have noticed that both POST and GET arguments come through with the same call, self.get_argument(). Maybe I'm a little overly paranoid, but I like my arguments to come in separately... in fact, it's highly recommended to never use a GET request to store information, yet someone could easily throw in a query string with whatever data they wanted.
I'm all fine for leaving self.get_argument(), but maybe there should be a built-in self.GET.get() and self.POST.get(), something like Django.
The text was updated successfully, but these errors were encountered: