tgext.routes chang

Alessandro Molina alessandro.molina at gmail.com
Thu Apr 14 20:00:19 UTC 2016


On Thu, Apr 14, 2016 at 3:17 PM, Søren Løvborg <sorenl at unity3d.com> wrote:

>

> Sorry, this is going to get long. :-)
>
> Thomas De Schampheleire wrote:
> > So this means updating Kallithea. Do you happen to be interested and
> > available for such change?
>
> Yes. I am currently looking into the Kallithea code to see how this
> would work. There is definitely room for improvement. I'll get back to
> you (and the list) when I have something more concrete.
>
> Next, I wrote:
> >>> (Aside: I did not look at the tgext.routes code, but I assume the
> >>> override support is opt-in? Enabling it automatically for all
applications
> >>> could cause security issues for applications that don't have CSRF
> >>> protection.)
>
> Alessandro Molina replied:
> > Nope, there is no opt-in.
> > There isn't in routes itself too:
> >
https://github.com/bbangert/routes/blob/master/routes/middleware.py#L61-L70
> >
> > Also even though you would opt-out you can still perform CSRF in any
case by
> > using an XMLHTTPRequest or a form.
>
> Well, in Routes, it's an opt-out, but the option is there (the
> use_method_override argument). I think it's a mistake to enable by
> default.
>
> Messing around with the HTTP request like this is definitely not
> something you should do in a library, unless the application
> explicitly asks for it, and even then only under certain limited
> circumstances. This is why:
>

I'm sorry if my reply made you fervent about the topic, I quickly discarded
the discussion about opt-in/out just because I found it pretty useless in
this context. As it doesn't guarantee you are safe from cross site attacks
and kallithea needed that feature on in any case (it was actually added for
kallithea itself).

I was more interested on the concern of updating the environ key or not,
which for consinstency I would do, but it's open to interpretation.

I know that by RFC you should theoretically stick to some behaviours, but
in practice they are not enforced and the standard itself states it might
be considered a feature being able to override them. I mean while it's
wrong and will hit you back for many reasons caching included... the world
is full of apps that change things on GET requests...

I'll gladly add an option to opt in in tgext.routes if that makes you feel
more comfortable it won't change much for me as there are no other apps
apart from Kallithea that replace the whole routing stack in tg with
tgext.routes and it was made for kallitha so no one will complain ;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20160414/15787deb/attachment.html>


More information about the kallithea-general mailing list