Till Maas wrote:
On Tue November 25 2008, Toshio Kuratomi wrote:
> For these issues we could either concentrate on fixing or mitigating
> them. Fixing them would require the laborious changes I talked about
> earlier to change the way the framework already processes the POST and
> GET parameters before they get to us.
I guess it would be enough only to check whether the request is a POST-request
without checking where the variables come from. This is maybe available in
this variable: cherrypy.request.method
The information is there. but it has to be checked. So someone would
have to audit changes to see if a method now allows changes to be made
without having added an error condition if the request was made via GET
instead of POST. This is more on-going work than tying the check to the
check for an authenticated user.
> Mitigation is easier -- we should
> make it part of our best practices to never have links or GET driven
> forms that make state changes when designing the UI and templates.
This is also needed, if you check for the request method, because otherwise
you would have broken links.
Right.
-Toshio