again missing a point.......
ajax callbacks **should** be signed simply because simply there's no way to
do sign urls in javascript - meaning...if you move the signing part to a
piece of code that is executed on the client, you lost all the benefits of
the signature itself, 'cause it can be forced.
That being said, if you sign the url without the vars, it's still a much
secure path than no signing at all or using a fixed hmac_key.
If you really read the book, then you'll know you can skip the vars when
dealing with signatures (both with fixed hmac_keys and with user
signatures.)
On Wednesday, March 19, 2014 11:14:59 PM UTC+1, Mike Constabel wrote:
>
> This is logical for me. Thank you for the explanation.
>
> I read the book often, especially the ajax part. I found this sentence:
> "It is good practice to always digitally sign Ajax callbacks."
>
> Now I ask me:
> Is it possible to sign the url and exclude keyword and stype? So that a
> user can't submit other vars?
>
> In the book is an example with LOAD, this I understand.
>
> But for ajax in my case it seems now to be impossible to sign it. I have
> no idea.
>
> I think I must take ajax callback as potentially insecure and handle this
> accordingly.
>
> Am Mittwoch, 19. März 2014 22:37:33 UTC+1 schrieb Niphlod:
>>
>> you're missing a point: separation of what is executed by python and what
>> is executed by javascript.
>>
>> user_signature takes into consideration a/c/f , args AND vars.
>>
>> your URL link in the onkeyup attribute is generated by python, but then
>> ajax() takes the values presented in the form (in your case, while the user
>> is typing values) and post those to the original URL (as vars).
>>
>> python can't know in advance what values the user will type, and
>> javascript (ajax()) can't sign the "resulting url" because of two things:
>> - it doesn't know what hmac_key to use ('cause only the server knows what
>> is it, that's the whole point of user_signature)
>> - it doesn't know HOW to create the signature
>>
>> If you need signed URLs, you need to verify the url without taking vars
>> into consideration.
>> Please review the book about the signature process...
>>
>> http://web2py.com/books/default/chapter/29/04/the-core?search=signed#Digitally-signed-urls
>>
>> BTW: auth.requires_signature() takes hash_vars as a parameter too.
>>
>> On Wednesday, March 19, 2014 10:18:38 PM UTC+1, Mike Constabel wrote:
>>>
>>> Doesn't work. The generated HTML code:
>>>
>>> <input id="keyword" name="keyword" onkeyup="ajax(URL('callback',
>>> ['keyword', 'stype'], user_signature=True),
>>> 'target');" type="text" />
>>>
>>>
>>>
>>> Am Mittwoch, 19. März 2014 16:31:41 UTC+1 schrieb LightDot:
>>>>
>>>> Try:
>>>>
>>>> TD(INPUT(_id='keyword', _name='keyword', _onkeyup="ajax(URL('callback',
>>>> ['keyword', 'stype'], user_signature=True), 'target');"), _name=
>>>> "search_type")))
>>>>
>>>> Regards
>>>>
>>>> On Wednesday, March 19, 2014 1:59:38 PM UTC+1, Mike Constabel wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> in a form i have
>>>>>
>>>>> TD(INPUT(_id='keyword', _name='keyword', _onkeyup="ajax(URL('callback',
>>>>> ['keyword', 'stype']), 'target');"), _name="search_type")))
>>>>>
>>>>> If a text is entered, callback is called an some text is displayed in
>>>>> target. This works.
>>>>>
>>>>> But now I want to sign the URL.
>>>>>
>>>>> If I add @auth.requires_signature() to callback function, it no longer
>>>>> works. The ajax call must be signed.
>>>>>
>>>>> @auth.requires_signature()
>>>>> def callback():
>>>>> return P("foo")
>>>>>
>>>>> But how can I add "user_signature=True" to the code above so that the
>>>>> ajax call will be signed?
>>>>>
>>>>> Regards,
>>>>> Mike
>>>>>
>>>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
