python - Tornado - JSON Output sent as Response to be wrapped in dictionary -

-

i came across section in docs :

requesthandler.write(chunk)

writes given chunk output buffer.

to write output network, use flush() method below.

if given chunk dictionary, write json , set content-type of response application/json. (if want send json different content-type, call set_header after calling write()).

note lists not converted json because of potential cross-site security vulnerability. json output should wrapped in dictionary. more details @ http://haacked.com/archive/2009/06/25/json-hijacking.aspx/ , https://github.com/facebook/tornado/issues/1009

so have few questions related this:

  1. what mean this?

if given chunk dictionary, write json.

  1. what mean this?

note lists not converted json because of potential cross-site security vulnerability.

  1. what mean this? , here, mean json output? , why wrap in dictionary?

all json output should wrapped in dictionary.

  1. this has 2 subparts :

    a. best way send json responses tornado client?

    b. better way send responses? if not json, is? , if json, mention answer subpart (a).

please try answer parts , subparts in numbered manner can understand them properly.

  1. what mean this?

    if given chunk dictionary, write json.

it means, if pass dict write automatically json encoded. method write can handle dict, byte, unicode_type (simplifying str).

  1. what mean this?

    note lists not converted json because of potential cross-site security vulnerability.

assume provide service , request /example/my_service/user_data.json , json response.

if top level object array like:

["john smith", "email@mail"]

then attacker redefine array's constructor , add script tag /example/my_service/user_data.json, gets evaluated - array created attacker's constructor. because standalone array valid javascript code.

since standalone objects, except empty one, not valid js, if return

{"name": "john smith", "email":"email@mail"}

attacker end syntaxerror: missing ; before statement or similar.

more info http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx/

  1. what mean this? , here, mean json output? , why wrap in dictionary?

    all json output should wrapped in dictionary.

as read above, becomes pretty clear, top-level element in json should not array. tornado raise error if pass list.of course can bypass safety, passing string (json dumps before wirte), not wise:

self.write('["this", "is", "wrong"]')

  1. a. best way send json responses tornado client?

    b. better way send responses? if not json, is? , if json, mention answer subpart (a).

i use, if possible, json or xml response. not using tornado's mechanism that, pass encoded object - string write. reason is, it's cleanest way override tornado's encoders , use e.g. ujson.

edit

worth noting modern browsers should not vulnerable.


Comments

Post a Comment

Popular posts from this blog

c++ - llvm function pass ReplaceInstWithInst malloc -

-
#include "llvm/pass.h" #include "llvm/ir/module.h" #include "llvm/ir/function.h" #include "llvm/support/raw_ostream.h" #include "llvm/ir/legacypassmanager.h" #include "llvm/ir/instrtypes.h" #include "llvm/transforms/ipo/passmanagerbuilder.h" #include "llvm/ir/irbuilder.h" #include "llvm/transforms/utils/basicblockutils.h" using namespace llvm; namespace { struct replacepass : public functionpass { static char id; replacepass() : functionpass(id) {} virtual bool runonfunction(function &f) { allocainst* insttoreplace = ??? basicblock::iterator ii(insttoreplace); replaceinstwithinst(insttoreplace->getparent()->getinstlist(), ii, new allocainst(type::int32ty, 0, insttoreplace)); return true; } }; } char replacepass::id = 0; static void registerreplacepass(const passmanagerbuilder &, legacy::passmanagerbase &pm) { pm.add(new re
Read more

java.lang.NoClassDefFoundError When Creating New Android Project -

-
i've tried installing (and re-installing) android studio several times now, , each time, studio isn't able create new android project. when attempt initial android studio window (ie. basic 'create', 'open', 'import' etc options), i'm asked of questions in wizard, brief progress dialog, followed nothing @ all. if open incomplete project process creates choosing 'open' list, can try choosing create new android project menu. this has same issue, error message in output console time... java.lang.noclassdeffounderror: com/sun/xml/internal/bind/v2/model/annotation/annotationreader (wrong name: com/sun/xml/internal/bind/v0/model/qnnotation/annotationreader) note: when installed android studio, installed incompatible jdk (1.8, not 1.7). have had go default project settings change jdk uses 1.8. does know how can avoid this? there place should downloading jxb classes? missing in java paths? this appears have been caused cor
Read more

Decoding a Python 2 `tempfile` with python-future -

-
i'm attempting write python 2/3 compatible routine fetch csv file, decode latin_1 unicode , feed csv.dictreader in robust, scalable manner. for python 2/3 support, i'm using python-future including imporing open builtins , , importing unicode_literals consistent behaviour i'm hoping handle exceptionally large files spilling disk, using tempfile.spooledtemporaryfile i'm using io.textiowrapper handle decoding latin_1 encoding before feeding dictreader this works fine under python 3. the problem textiowrapper expects wrap stream conforms bufferediobase . unfortunately under python 2, although have imported python 3-style open , vanilla python 2 tempfile.spooledtemporaryfile still of course returns python 2 cstringio.stringo , instead of python 3 io.bytesio required textiowrapper . i can think of these possible approaches: wrap python 2 cstringio.stringo python 3-style io.bytesio . i'm not sure how approach - need write such wrapper or 1 ex
Read more