Issue #1159 open

GET and POST form data are mixed in

space one
created an issue

@cherrypy.expose def index(**kwargs): return '%r' % (kwargs,)

$ curl -i -X POST -d 'foo=bar' http://localhost:8080/?foo=a {'foo': [u'a', u'bar']}

this is an security issue, because GET arguments can be used to send additional POST data…

Comments (6)

  1. space one reporter

    hmm, no: cherrypy.request.params is also the mixin.. so how can i get the raw GET data instead of parsing cherrypy.request.query_string?

  2. space one reporter

    This is a sign for bad design as HTTP defined different usages for the QueryString in the URI and a representation of a resource in the request body. Great! if it supports both GET and POST... but it only supports both of them, you are not able to use the raw GET querystring variables on a POST request, if you want you must parse it again for yourself... Anyway, i don't mind if this is a WONTFIX but it is actually one of the reasons why i decided to not use cherrypy anymore. I found a framework which uses a very similar API to cherrypy but is more user friendly and more powerful if you plan to create really big web applications (not as the Hello World example) and which has way more cleaner design…

  3. Log in to comment