Dear gophers,
Wouldn't it be nice to have an alternative http.Request field that
doesn't include form values from the URL query? It could be used by
Request.ParseForm() to merge query+form values into Request.Form.
The current behavior can be nastily exploited in apps that don't take
care enough. As pointed on IRC:
http://play.golang.org/p/ncnuZKToE_
On May 16, 11:38 am, Peter Thrun wrote:I'd guess that accepting query parameters as form data just makes form
> What is the exploit? I don't see a problem in the posted code.
tampering a lot easier.
But security wasn't my primary concern, just
came out while discussing this on IRC.
I just wanted to access form data separately.
Assuming that an established, authenticated and secure connection's $_POST could be trusted bit me once.... Never again.
On May 16, 6:46 pm, Kyle Lemons wrote:This sounds a bit extreme. It is a common and reasonable practice to
> I think it's poor design to care where
> you get your form values.
care about, and sometimes you are told to care about. For this section
of the OAuth spec for example:
http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.1.3
...I should not ignore if a request parameter came from the query or
the body. Agree?
These are two different things:
1. Distinguishing between GET and POST parameters helps protect users
against themselves when they get social-engineered into clicking a
link to an application that doesn't make any distinction. One simple
cannot argue that it is as easy to get a user to make a POST request
as it is to get them to click a link -- it isn't. You _can_ argue if
there are really applications where this could have any negative
effect (without any input from the user who's being tricked), and
whether simply checking the request method or applying the workaround
would be sufficient. I think both of them are (although what Brad
suggested wouldn't hurt.) Developers who care about security will
likely use CSRF tokens anyway.
Trusting that a post is actually a post seems isomorphic to trusting user input..... Not a pretty picture I agree.
-Simon Watt
OpenID 1.1:
"When a message is sent as a POST, OpenID parameters MUST only be sent
in, and extracted from, the POST body."
http://openid.net/specs/openid-authentication-1_1.html