[dancer-users] Methods Of retrieving request parameters

Dave Cross dave at dave.org.uk
Tue Jul 12 16:27:46 BST 2016


Quoting Warren Young <wyml at etr-usa.com>:

> On Jul 11, 2016, at 3:29 AM, Dave Cross <dave at dave.org.uk> wrote:
>
>> The more explicitly-named methods are definitely safer. You really  
>> want to know where your parameters are coming from.
>
> I’m still waiting for someone to justify that stance with more than  
> confident prose assertions.  Someone, please show me code that the  
> new keywords makes better.

[ ... snip ... ]

It's to do with security. If you've written the application, you know  
the channels that the params should be coming through. If you've  
written the app so that it sends 'foo' as a body parameter and it  
arrives as a query parameter, then that might be evidence of someone  
doing something with your app that you would rather they didn't do.  
Perhaps they're probing it for security holes.

Imagine you have a form that contains important information in  
<hidden> form fields. You have filled in those fields in the HTML  
response that you sent back to the browser. That data should turn up  
in a body parameter. If it turns up in a query parameter, then someone  
is trying to override that value. Perhaps for nefarious reasons. If  
you were getting the value from a 'param' or 'params' call, you  
wouldn't know where the value comes from. Is it the legitimate body  
parameter or the added (perhaps nefarious) query parameter? You don't  
know. And that should worry you.

By all means continue to take the lax approach if you want. I learned  
long ago that the internet is a nasty place and I'm going to be as  
distrustful as possible of the data I get back from my users.

Dave...




More information about the dancer-users mailing list