Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need less restrictive HTTP method validation #951

Closed
wolfhechel opened this issue Jul 4, 2016 · 7 comments
Closed

Need less restrictive HTTP method validation #951

wolfhechel opened this issue Jul 4, 2016 · 7 comments
Labels
outdated

Comments

@wolfhechel
Copy link
Contributor

First of all I'm sorry if this topic has been brought up before, I tried to search for a similar issue but couldn't find any.

As it is right now the only methods allowed for routing and requests are the ones defined in RFC7231 and RFC5789.
In reality there are far more methods used in the open like WebDAV methods (MOVE, COPY, UPDATE, LOCK, UNLOCK etc), GENA methods (SUBSCRIBE, UNSUBCRIBE, NOTIFY).

IANA lists the most common ones defined in RFC's at least, I was surprised to see GENA methods were missing though.

Point being, is there any reason as to why aiohttp is limited in this matter a part from the potential abuse in class-based views?

I know this is an issue already as I've done WebDAV and GENA work with aiohttp in projects, and as it is now I'm monkey-patching the method checks in order to allow route registration there.
@wolfhechel
Copy link
Contributor Author

Also I'm sorry this issue doesn't follow the issue template, but as this is a discussion more than a bug report I hope you can find it in your heart to forgive me.

@asvetlov asvetlov mentioned this issue Jul 6, 2016
Closed
@asvetlov
Copy link
Member

asvetlov commented Jul 6, 2016

Please take a look on #960
Is the proposed solution satisfies your needs?

@wolfhechel
Copy link
Contributor Author

Indeed that solves it for class based views at least, it still doesn't allow regular views as that's limited by the AbstractRoute implementation.

Would it be of any harm to remove lines 84:86 from AbstractRoute, since technically the only definition of a HTTP method is that it only consists of alphanumeric characters.

Actually, according to the HTTP 1.1 RFC a method can be any number of digits, letters or the symbols !#$%&'*+-.^_`|~.

@asvetlov
Copy link
Member

My main reason for keeping checks was preventing user from silly types. For example I wanted to have a error on writing app.router.add_route('POSTT', '/', handler).

Now thanks to #989 we have shortcut methods for server api, and we already had these for client.

So my objection has gone away, we can relay checks significantly.

@wolfhechel are you volunteered for this task?

@wolfhechel
Copy link
Contributor Author

@asvetlov Absolutely, I still think that methods should be validated according to RFC 1.1 specifications though so I'll implement that instead.

@wolfhechel wolfhechel mentioned this issue Aug 2, 2016
Merged
3 tasks
@asvetlov
Copy link
Member

Fixed by #1037

@lock
Copy link

lock bot commented Oct 29, 2019

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.

@lock lock bot added the outdated label Oct 29, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Oct 29, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
outdated
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@asvetlov @wolfhechel