This is logical for me. Thank you for the explanation.
I read the book often, especially the ajax part. I found this sentence: "It
is good practice to always digitally sign Ajax callbacks."
Now I ask me:
Is it possible to sign the url and exclude keyword and stype? So that a
user can't submit other vars?
In the book is an example with LOAD, this I understand.
But for ajax in my case it seems now to be impossible to sign it. I have no
idea.
I think I must take ajax callback as potentially insecure and handle this
accordingly.
Am Mittwoch, 19. März 2014 22:37:33 UTC+1 schrieb Niphlod:
>
> you're missing a point: separation of what is executed by python and what
> is executed by javascript.
>
> user_signature takes into consideration a/c/f , args AND vars.
>
> your URL link in the onkeyup attribute is generated by python, but then
> ajax() takes the values presented in the form (in your case, while the user
> is typing values) and post those to the original URL (as vars).
>
> python can't know in advance what values the user will type, and
> javascript (ajax()) can't sign the "resulting url" because of two things:
> - it doesn't know what hmac_key to use ('cause only the server knows what
> is it, that's the whole point of user_signature)
> - it doesn't know HOW to create the signature
>
> If you need signed URLs, you need to verify the url without taking vars
> into consideration.
> Please review the book about the signature process...
>
> http://web2py.com/books/default/chapter/29/04/the-core?search=signed#Digitally-signed-urls
>
> BTW: auth.requires_signature() takes hash_vars as a parameter too.
>
> On Wednesday, March 19, 2014 10:18:38 PM UTC+1, Mike Constabel wrote:
>>
>> Doesn't work. The generated HTML code:
>>
>> <input id="keyword" name="keyword" onkeyup="ajax(URL('callback',
>> ['keyword', 'stype'], user_signature=True),
>> 'target');" type="text" />
>>
>>
>>
>> Am Mittwoch, 19. März 2014 16:31:41 UTC+1 schrieb LightDot:
>>>
>>> Try:
>>>
>>> TD(INPUT(_id='keyword', _name='keyword', _onkeyup="ajax(URL('callback',
>>> ['keyword', 'stype'], user_signature=True), 'target');"), _name=
>>> "search_type")))
>>>
>>> Regards
>>>
>>> On Wednesday, March 19, 2014 1:59:38 PM UTC+1, Mike Constabel wrote:
>>>>
>>>> Hi,
>>>>
>>>> in a form i have
>>>>
>>>> TD(INPUT(_id='keyword', _name='keyword', _onkeyup="ajax(URL('callback',
>>>> ['keyword', 'stype']), 'target');"), _name="search_type")))
>>>>
>>>> If a text is entered, callback is called an some text is displayed in
>>>> target. This works.
>>>>
>>>> But now I want to sign the URL.
>>>>
>>>> If I add @auth.requires_signature() to callback function, it no longer
>>>> works. The ajax call must be signed.
>>>>
>>>> @auth.requires_signature()
>>>> def callback():
>>>> return P("foo")
>>>>
>>>> But how can I add "user_signature=True" to the code above so that the
>>>> ajax call will be signed?
>>>>
>>>> Regards,
>>>> Mike
>>>>
>>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
