Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remote clients can call hidden or private methods #3

Open
defnull opened this issue Jan 30, 2025 · 2 comments
Open

Remote clients can call hidden or private methods #3

defnull opened this issue Jan 30, 2025 · 2 comments

Comments

@defnull
Copy link

defnull commented Jan 30, 2025

There is no check if a requested handler function starts with an underscore, which means an attacker could request /_my_private_method and even pass arbitrary string parameters to it via query parameters. There are public methods on the Server class that can also be called that way.
@patx
Copy link
Owner

patx commented Jan 31, 2025

I added a check for private methods, they will now not be routed 11bcbae. As for the public methods in Server class, not sure what you mean could you please clarify? Thanks!!

@defnull
Copy link
Author

defnull commented Jan 31, 2025

For example GET /render_template?name=foo. You probably want to add more features soon, so the name clash between framework functionality and application route functions will get in your way eventually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@defnull @patx