diff options
author | Lars Wirzenius <liw@liw.fi> | 2017-10-09 11:01:20 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2017-10-09 11:01:20 +0300 |
commit | e71acd2705f9c2354965d61c35e1c0034b18ce66 (patch) | |
tree | ad565a09d86e7f8c90f57bc363757dcedd79836e | |
parent | 798b85763d5b640ca3106cca219cbccc70391511 (diff) | |
download | apifw-e71acd2705f9c2354965d61c35e1c0034b18ce66.tar.gz |
Add: disallow empty bodies for PUT and POST requests
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | apifw/__init__.py | 1 | ||||
-rw-r--r-- | apifw/bottleapp.py | 8 | ||||
-rw-r--r-- | apifw/http.py | 2 |
4 files changed, 12 insertions, 1 deletions
@@ -7,6 +7,8 @@ This file summarizes changes between releases of `apifw`. Version 0.14+git, not yet released ---------------------------------- +* Disallow empty bodies for POST and PUT requests. Status code 411 is + returned in that case. Version 0.14, released 2017-10-04 ---------------------------------- diff --git a/apifw/__init__.py b/apifw/__init__.py index 42c575b..7c1ce5b 100644 --- a/apifw/__init__.py +++ b/apifw/__init__.py @@ -24,6 +24,7 @@ from .http import ( HTTP_NOT_FOUND, HTTP_BAD_REQUEST, HTTP_CONFLICT, + HTTP_LENGTH_REQUIRED, ) from .token import create_token, decode_token from .bottleapp import BottleApplication, create_bottle_application diff --git a/apifw/bottleapp.py b/apifw/bottleapp.py index 774e1c2..541ddfe 100644 --- a/apifw/bottleapp.py +++ b/apifw/bottleapp.py @@ -258,9 +258,15 @@ class BottleApplication: return wrapper def _get_request_body(self): + raw_body = bottle.request.body.read() + if bottle.request.method in ('POST', 'PUT'): + if len(raw_body) == 0: + raise bottle.HTTPError( + apifw.HTTP_LENGTH_REQUIRED, + body='Empty body not allowed for PUT/POST') + json_type = 'application/json' content_type = bottle.request.get_header('Content-Type') - raw_body = bottle.request.body.read() if content_type != json_type: return content_type, raw_body diff --git a/apifw/http.py b/apifw/http.py index 62f9234..0675442 100644 --- a/apifw/http.py +++ b/apifw/http.py @@ -21,6 +21,8 @@ HTTP_FORBIDDEN = 403 HTTP_NOT_FOUND = 404 HTTP_BAD_REQUEST = 400 HTTP_CONFLICT = 409 +HTTP_CONFLICT = 409 +HTTP_LENGTH_REQUIRED = 411 class HttpTransaction: |