Version bump; Allow for control of keyword reading

4 files changed, 29 insertions, 5 deletions

diff --git a/lazybones-hunchentoot.asd b/lazybones-hunchentoot.asd
index 4167cff..56ae2c0 100644
--- a/lazybones-hunchentoot.asd
+++ b/lazybones-hunchentoot.asd
@@ -4,7 +4,7 @@
   :description "hunchentoot backend for lazybones"
   :author "Colin Okay <okay@toyful.space>"
   :license  "AGPLv3"
-  :version "0.2.0"
+  :version "0.2.1"
   :serial t
   :depends-on (#:hunchentoot #:lazybones)
   :components ((:file "lazybones-hunchentoot")))
diff --git a/lazybones-hunchentoot.lisp b/lazybones-hunchentoot.lisp
index 38480a0..2b3bf1e 100644
--- a/lazybones-hunchentoot.lisp
+++ b/lazybones-hunchentoot.lisp
@@ -208,7 +208,20 @@ HEADER-NAME can be a keyword or a string."
 
 (defun request-body (&key (request lzb:*request*) (want-stream-p nil))
   "Returns the decoded request body. The value returned depends upon
-the value of the Content-Type request header."
+the value of the Content-Type request header.
+
+If WANT-STREAM-P is non-null, then an attempt is made to return a
+stream from which the body content can be read. This may be impossible
+if the Content-Type of the request is one of multipart/form-data or
+application/x-www-form-urlencoded.
+
+If the body's Content-Type is application/json, multipart/form-data,
+or application/x-www-form-urlencoded then a property-list
+representation of the body is returned.
+
+Otherwise a bytevector of the body is returned.  
+
+Work to unpack the body is performed once per request. Calling this" 
   (if %request-body-cache% %request-body-cache% 
       (setf %request-body-cache%
             (when (member (request-method request) +hunchentoot-methods-with-body+)
@@ -230,7 +243,9 @@ the value of the Content-Type request header."
 
                   ((string-equal "application/json" content-type)
                    (jonathan:parse
-                    (h:raw-post-data :request request :external-format :utf8 ))) ;TODO: don't hardcode utf8
+                    (h:raw-post-data :request request :external-format :utf8)
+                    :as :plist
+                    :keywords-to-read *allowed-keywords*)) 
 
                   (t
                    ;; default case is to return a bytevector
diff --git a/lazybones.lisp b/lazybones.lisp
index 0fe323b..e9adc03 100644
--- a/lazybones.lisp
+++ b/lazybones.lisp
@@ -34,6 +34,11 @@
   "Dynamic variable holding the an APP instance. Dynamically bound by
   RUN-ENDPOINT so that it is available if needed in request handlers.")
 
+(defvar *allowed-keywords* nil
+  "Dynamic variable. Can be bound by handler functions to control which
+keywords are read in while parsing request bodies. Should be used
+when keyword bombing is a concern.")
+
 (defvar *debugging* nil)
 
 ;;; HTTP-ERROR CONDITION
@@ -340,7 +345,7 @@ applying HANDLER-FUNCTION slot of ENDPOINT to the ARGS list."
         (*response* response)
         (*app* app))
     (setf (response-code) 200)
-    (if (request-authorized-p endpoint) 
+     (if (request-authorized-p endpoint) 
         (http-respond (apply (endpoint-request-handler endpoint) args))
         (http-err 403))))
 
diff --git a/package.lisp b/package.lisp
index 1a6e7bc..4ed5cdf 100644
--- a/package.lisp
+++ b/package.lisp
@@ -31,7 +31,10 @@
    #:start-server
    #:stop-server
    #:canned-response
-   #:set-canned-response))
+   #:set-canned-response
+   ;; special variables
+   #:*allowed-keywords*
+   ))
 
 ;; the symbols exported here are available for end users to use in the
 ;; building of their apps
@@ -44,6 +47,7 @@
    #:*request*
    #:*response*
    #:*debugging*
+   #:*allowed-keywords*
    #:http-error
    #:generate-app-documentation
    #:provision-app