From e71acd2705f9c2354965d61c35e1c0034b18ce66 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Mon, 9 Oct 2017 11:01:20 +0300 Subject: Add: disallow empty bodies for PUT and POST requests --- NEWS | 2 ++ apifw/__init__.py | 1 + apifw/bottleapp.py | 8 +++++++- apifw/http.py | 2 ++ 4 files changed, 12 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 7eb3e55..ab33e6e 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,8 @@ This file summarizes changes between releases of `apifw`. Version 0.14+git, not yet released ---------------------------------- +* Disallow empty bodies for POST and PUT requests. Status code 411 is + returned in that case. Version 0.14, released 2017-10-04 ---------------------------------- diff --git a/apifw/__init__.py b/apifw/__init__.py index 42c575b..7c1ce5b 100644 --- a/apifw/__init__.py +++ b/apifw/__init__.py @@ -24,6 +24,7 @@ from .http import ( HTTP_NOT_FOUND, HTTP_BAD_REQUEST, HTTP_CONFLICT, + HTTP_LENGTH_REQUIRED, ) from .token import create_token, decode_token from .bottleapp import BottleApplication, create_bottle_application diff --git a/apifw/bottleapp.py b/apifw/bottleapp.py index 774e1c2..541ddfe 100644 --- a/apifw/bottleapp.py +++ b/apifw/bottleapp.py @@ -258,9 +258,15 @@ class BottleApplication: return wrapper def _get_request_body(self): + raw_body = bottle.request.body.read() + if bottle.request.method in ('POST', 'PUT'): + if len(raw_body) == 0: + raise bottle.HTTPError( + apifw.HTTP_LENGTH_REQUIRED, + body='Empty body not allowed for PUT/POST') + json_type = 'application/json' content_type = bottle.request.get_header('Content-Type') - raw_body = bottle.request.body.read() if content_type != json_type: return content_type, raw_body diff --git a/apifw/http.py b/apifw/http.py index 62f9234..0675442 100644 --- a/apifw/http.py +++ b/apifw/http.py @@ -21,6 +21,8 @@ HTTP_FORBIDDEN = 403 HTTP_NOT_FOUND = 404 HTTP_BAD_REQUEST = 400 HTTP_CONFLICT = 409 +HTTP_CONFLICT = 409 +HTTP_LENGTH_REQUIRED = 411 class HttpTransaction: -- cgit v1.2.1