python - Which skeleton more correct -

i use torndo projects. use skeleton server. using code address methods via http://server/dev/foo , http://server/dev/bar. code work in production

class mainhandler(sessionbasehandler):       def __init__(self, *args, **kwargs):          global logger          super(mainhandler, self).__init__(*args, **kwargs)       @tornado.web.asynchronous      @tornado.gen.coroutine      def post(self,func_name):          request = self.request.body          func = getattr(self, func_name)          response = yield tornado.gen.task(func,request)                     self.write(response)                          self.finish()            def foo(self, query, callback):          callback({"queryfoo":query})               def bar(self, query, callback):          callback({"querybar":query})        class tornadoapplication(tornado.web.application):       def __init__(self):          handlers = [              (r"/dev/(.*)", acquiring.mainhandler),          ]          settings.update(session=session_settings)          tornado.web.application.__init__(self, handlers)   http_server = tornado.httpserver.httpserver(tornadoapplication()) http_server.listen(config.get('webserver','port')) tornado.ioloop.ioloop.instance().start()

but times in documentation , articles describe skeleton this:

class mainhandlerfoo(sessionbasehandler):       def __init__(self, *args, **kwargs):          global logger          super(mainhandler, self).__init__(*args, **kwargs)           @tornado.web.asynchronous      @tornado.gen.coroutine      def post(self,func_name):          request = self.request.body          response = yield tornado.gen.task(self._foo,request)                     self.write(response)                          self.finish()            def _foo(self, query, callback):         callback({"queryfoo":query})                  class mainhandlerbar(sessionbasehandler):       def __init__(self, *args, **kwargs):          global logger          super(mainhandler, self).__init__(*args, **kwargs)       @tornado.web.asynchronous      @tornado.gen.coroutine      def post(self,func_name):          request = self.request.body          response = yield tornado.gen.task(self._bar,request)                     self.write(response)                          self.finish()            def _bar(self, query, callback):          callback({"querybar":query})                  class tornadoapplication(tornado.web.application):       def __init__(self):          handlers = [              (r"/dev/foo", acquiring.mainhandlerfoo),              (r"/dev/bar", acquiring.mainhandlerbar),          ]          settings.update(session=session_settings)          tornado.web.application.__init__(self, handlers)   http_server = tornado.httpserver.httpserver(tornadoapplication()) http_server.listen(config.get('webserver','port')) tornado.ioloop.ioloop.instance().start()

so found myself @ loss. can problem when using skeleton? skeleton significant functional disadvantages before described in documentation or problem of style?

the first method uses:

getattr(self, func_name)

where func_name may match value following pattern .*. means user call method of handler, including methods of bases classes. lead unexpected results , potential security risk.

the user call of following example urls unintentionally exposed:

/dev/__init__ /dev/mro /dev/put

Search This Blog

Business

python - Which skeleton more correct -

Comments

Post a Comment

Popular posts from this blog

PySide and Qt Properties: Connecting signals from Python to QML -

c# - DevExpress.Wpf.Grid.InfiniteGridSizeException was unhandled -

scala - 'wrong top statement declaration' when using slick in IntelliJ -