python - Tornado - JSON Output sent as Response to be wrapped in dictionary -

-

i came across section in docs :

requesthandler.write(chunk)

writes given chunk output buffer.

to write output network, use flush() method below.

if given chunk dictionary, write json , set content-type of response application/json. (if want send json different content-type, call set_header after calling write()).

note lists not converted json because of potential cross-site security vulnerability. json output should wrapped in dictionary. more details @ http://haacked.com/archive/2009/06/25/json-hijacking.aspx/ , https://github.com/facebook/tornado/issues/1009

so have few questions related this:

  1. what mean this?

if given chunk dictionary, write json.

  1. what mean this?

note lists not converted json because of potential cross-site security vulnerability.

  1. what mean this? , here, mean json output? , why wrap in dictionary?

all json output should wrapped in dictionary.

  1. this has 2 subparts :

    a. best way send json responses tornado client?

    b. better way send responses? if not json, is? , if json, mention answer subpart (a).

please try answer parts , subparts in numbered manner can understand them properly.

  1. what mean this?

    if given chunk dictionary, write json.

it means, if pass dict write automatically json encoded. method write can handle dict, byte, unicode_type (simplifying str).

  1. what mean this?

    note lists not converted json because of potential cross-site security vulnerability.

assume provide service , request /example/my_service/user_data.json , json response.

if top level object array like:

["john smith", "email@mail"]

then attacker redefine array's constructor , add script tag /example/my_service/user_data.json, gets evaluated - array created attacker's constructor. because standalone array valid javascript code.

since standalone objects, except empty one, not valid js, if return

{"name": "john smith", "email":"email@mail"}

attacker end syntaxerror: missing ; before statement or similar.

more info http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx/

  1. what mean this? , here, mean json output? , why wrap in dictionary?

    all json output should wrapped in dictionary.

as read above, becomes pretty clear, top-level element in json should not array. tornado raise error if pass list.of course can bypass safety, passing string (json dumps before wirte), not wise:

self.write('["this", "is", "wrong"]')

  1. a. best way send json responses tornado client?

    b. better way send responses? if not json, is? , if json, mention answer subpart (a).

i use, if possible, json or xml response. not using tornado's mechanism that, pass encoded object - string write. reason is, it's cleanest way override tornado's encoders , use e.g. ujson.

edit

worth noting modern browsers should not vulnerable.


Comments

Post a Comment

Popular posts from this blog

c - How to retrieve a variable from the Apache configuration inside the module? -

-
i'm building custom apache module. how retrieve variable apache configuration inside module? see variable "some_var_config_from_apache_or_htaacess" inside apache module: /* source: http://people.apache.org/~humbedooh/mods/examples/mod_example_1.c */ /* include required headers httpd */ #include "httpd.h" #include "http_core.h" #include "http_protocol.h" #include "http_request.h" static void register_hooks(apr_pool_t *pool); static int example_handler(request_rec *r); /* define our module entity , assign function registering hooks */ module ap_module_declare_data example_module = { standard20_module_stuff, null, // per-directory configuration handler null, // merge handler per-directory configurations null, // per-server configuration handler null, // merge handler per-server configurations null, // directives may have httpd register_hoo
Read more

c# - Constructor arguments cannot be passed for interface mocks -

-
when debug code , read line mocklessonplannerafactory creation error: constructor arguments cannot passed interface mocks. var mockschoolclasscodeservice = new mock<ischoolclasscodeservice>(); var mockdateservice = new mock<idateservice>(); var mocklessonplannerafactory = new mock<ilessonplannerafactory>(mockdateservice.object); var mocklessonplannerbfactory = new mock<ilessonplannerbfactory>(mockdateservice.object); var service = new timetableservice(mockunitofwork.object, mocklessonplannerafactory.object, mocklessonplannerbfactory.object, mockschoolclasscodeservice.object); my timetableservice accepts instances of interface type only. mocklessonplannerafactory , bfactory... want in constructor idateservice passed. what wrong code? the clue in error message "constructor arguments cannot passed interface mocks." the mock created interface have default constructor because interfaces don't have constructor. remember mockin
Read more

python - malformed header from script index.py Bad header -

-
i want run python code in apache2(ubuntu 14.04) server. have followed these steps , getting error: step 1: configuration 1: have created directory , file under /var/www/cgi-bin configuration 2 : have edited /etc/apache2/sites-available/000-default.conf alias /cgi-bin /var/www/cgi-bin <directory "/var/www/cgi-bin"> options indexes followsymlinks execcgi addhandler cgi-script .cgi .py allow </directory> <directory /var/www/cgi-bin> options </directory> step 2: and python script is: index.py #!/usr/bin/env python import cgi; import cgitb;cgitb.enable() print "content-type: text/plain\n" print "<b>hello python</b>" step 3: when ran through chrome browser using: url : http://localhost/cgi-bin/index.py step 4: i getting error in error-log malformed header script 'index.py': bad header: hello python you should end header \r\n, must print out yet \r\n signal body coming. (i
Read more