Configuring ProtoRPC to accept application/x-www-form-urlencoded
22 views
Skip to first unread message
Mark Cummins
May 13, 2014, 1:55:20 AM5/13/14
to google-prot...@googlegroups.com
Could someone provide a simple example of how to configure a ProtoRPC service to accept data encoded as application/x-www-form-urlencoded? I've been trying to figure out how to do this from the source, but it's not very clear.
Also, I saw in an earlier thread Rafe noted that:
If you are going to enable application/x-www-form-urlencoded for
your service, please note that it is disabled by default and may open
your service up to some security risks. It used to be enabled by
default but no longer is. It is still possible to use but requires
some additional set up.
Could you elaborate on what the security risks are compared to a JSON request?
The reason I need this is that my requests are coming from a JQuery plugin which basically insist on sending data urlencoded.
Thanks,
Mark
Rafe Kaplan
May 13, 2014, 6:29:29 PM5/13/14
to google-prot...@googlegroups.com
Hi Mark. Sorry that it's not clearer from the source code. The
main thing you want to do is pass in a Protocols object to the
service_mapping function:
https://code.google.com/p/google-protorpc/source/browse/python/protorpc/wsgi/service.py#56
The Protocols class is defined here. It's mainly a way to map
content type to protocol format:
https://code.google.com/p/google-protorpc/source/browse/python/protorpc/remote.py#1123
So for example:
from protorpc import remote
from protorpc import protourlencode
# Creates a new object with JSON and Protobuf already set up if you want
protos = remote.Protocols.new_default()
protos.add_protocol(protourlencode, 'urlencode')
hello = service.service_mapping(HelloService, '/hello.*', protos)
Is that helpful?
> --
> You received this message because you are subscribed to the Google Groups
> "ProtoRPC Discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to google-protorpc-d...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
- Rafe Kaplan
main thing you want to do is pass in a Protocols object to the
service_mapping function:
https://code.google.com/p/google-protorpc/source/browse/python/protorpc/wsgi/service.py#56
The Protocols class is defined here. It's mainly a way to map
content type to protocol format:
https://code.google.com/p/google-protorpc/source/browse/python/protorpc/remote.py#1123
So for example:
from protorpc import remote
from protorpc import protourlencode
# Creates a new object with JSON and Protobuf already set up if you want
protos = remote.Protocols.new_default()
protos.add_protocol(protourlencode, 'urlencode')
hello = service.service_mapping(HelloService, '/hello.*', protos)
Is that helpful?
> You received this message because you are subscribed to the Google Groups
> "ProtoRPC Discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to google-protorpc-d...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
- Rafe Kaplan
Mark Cummins
May 14, 2014, 12:51:48 AM5/14/14
to google-prot...@googlegroups.com
Hi Rafe,
Thanks very much! I actually managed to work it out after posting the question, but a comment with that example somewhere in the source would have been a big help.
Is it reasonable and safe to use this urlencode protocol in production? I noticed you mentioned elsewhere that it was disabled by default due to some security concerns. Is there anything I need to be aware of?
(Right now I'm just using it for a simple one-parameter function which returns a boolean, for what it's worth).
Also, small correction for anyone else finding this later. service.service_mapping() has a decorator which requires named arguments, so you need to call it like this:
hello = service.service_mapping(HelloService, service_path='/hello.*', protocols=protos)
Rafe Kaplan
May 14, 2014, 2:53:22 PM5/14/14
to google-prot...@googlegroups.com
Unfortunately I'm having difficulty recalling precisely what the
security concern was for. Most likely it had to do with folks trying
to use urlencoding with the GET http method, which could open up
issues with cross site attacks. There is not anything I'm aware of in
the code that would create a vulnerability on its own. Your use case
is very likely safe, so long as you do not attempt to handle GET
requests.
security concern was for. Most likely it had to do with folks trying
to use urlencoding with the GET http method, which could open up
issues with cross site attacks. There is not anything I'm aware of in
the code that would create a vulnerability on its own. Your use case
is very likely safe, so long as you do not attempt to handle GET
requests.
Reply all
Reply to author
Forward
0 new messages