summaryrefslogtreecommitdiff
path: root/apifw
diff options
context:
space:
mode:
authorLars Wirzenius <liw@liw.fi>2017-10-09 11:01:20 +0300
committerLars Wirzenius <liw@liw.fi>2017-10-09 11:01:20 +0300
commite71acd2705f9c2354965d61c35e1c0034b18ce66 (patch)
treead565a09d86e7f8c90f57bc363757dcedd79836e /apifw
parent798b85763d5b640ca3106cca219cbccc70391511 (diff)
downloadapifw-e71acd2705f9c2354965d61c35e1c0034b18ce66.tar.gz
Add: disallow empty bodies for PUT and POST requests
Diffstat (limited to 'apifw')
-rw-r--r--apifw/__init__.py1
-rw-r--r--apifw/bottleapp.py8
-rw-r--r--apifw/http.py2
3 files changed, 10 insertions, 1 deletions
diff --git a/apifw/__init__.py b/apifw/__init__.py
index 42c575b..7c1ce5b 100644
--- a/apifw/__init__.py
+++ b/apifw/__init__.py
@@ -24,6 +24,7 @@ from .http import (
HTTP_NOT_FOUND,
HTTP_BAD_REQUEST,
HTTP_CONFLICT,
+ HTTP_LENGTH_REQUIRED,
)
from .token import create_token, decode_token
from .bottleapp import BottleApplication, create_bottle_application
diff --git a/apifw/bottleapp.py b/apifw/bottleapp.py
index 774e1c2..541ddfe 100644
--- a/apifw/bottleapp.py
+++ b/apifw/bottleapp.py
@@ -258,9 +258,15 @@ class BottleApplication:
return wrapper
def _get_request_body(self):
+ raw_body = bottle.request.body.read()
+ if bottle.request.method in ('POST', 'PUT'):
+ if len(raw_body) == 0:
+ raise bottle.HTTPError(
+ apifw.HTTP_LENGTH_REQUIRED,
+ body='Empty body not allowed for PUT/POST')
+
json_type = 'application/json'
content_type = bottle.request.get_header('Content-Type')
- raw_body = bottle.request.body.read()
if content_type != json_type:
return content_type, raw_body
diff --git a/apifw/http.py b/apifw/http.py
index 62f9234..0675442 100644
--- a/apifw/http.py
+++ b/apifw/http.py
@@ -21,6 +21,8 @@ HTTP_FORBIDDEN = 403
HTTP_NOT_FOUND = 404
HTTP_BAD_REQUEST = 400
HTTP_CONFLICT = 409
+HTTP_CONFLICT = 409
+HTTP_LENGTH_REQUIRED = 411
class HttpTransaction:
generated by cgit v1.2.1 (git 2.18.0) at 2024-05-06 11:20:50 +0000