From 1d3d018f01ffb71dcdeaa086b3025a00428b45c1 Mon Sep 17 00:00:00 2001 From: colin Date: Sat, 18 Nov 2023 08:57:47 -0800 Subject: Version bump; Allow for control of keyword reading --- lazybones-hunchentoot.asd | 2 +- lazybones-hunchentoot.lisp | 19 +++++++++++++++++-- lazybones.lisp | 7 ++++++- package.lisp | 6 +++++- 4 files changed, 29 insertions(+), 5 deletions(-) diff --git a/lazybones-hunchentoot.asd b/lazybones-hunchentoot.asd index 4167cff..56ae2c0 100644 --- a/lazybones-hunchentoot.asd +++ b/lazybones-hunchentoot.asd @@ -4,7 +4,7 @@ :description "hunchentoot backend for lazybones" :author "Colin Okay " :license "AGPLv3" - :version "0.2.0" + :version "0.2.1" :serial t :depends-on (#:hunchentoot #:lazybones) :components ((:file "lazybones-hunchentoot"))) diff --git a/lazybones-hunchentoot.lisp b/lazybones-hunchentoot.lisp index 38480a0..2b3bf1e 100644 --- a/lazybones-hunchentoot.lisp +++ b/lazybones-hunchentoot.lisp @@ -208,7 +208,20 @@ HEADER-NAME can be a keyword or a string." (defun request-body (&key (request lzb:*request*) (want-stream-p nil)) "Returns the decoded request body. The value returned depends upon -the value of the Content-Type request header." +the value of the Content-Type request header. + +If WANT-STREAM-P is non-null, then an attempt is made to return a +stream from which the body content can be read. This may be impossible +if the Content-Type of the request is one of multipart/form-data or +application/x-www-form-urlencoded. + +If the body's Content-Type is application/json, multipart/form-data, +or application/x-www-form-urlencoded then a property-list +representation of the body is returned. + +Otherwise a bytevector of the body is returned. + +Work to unpack the body is performed once per request. Calling this" (if %request-body-cache% %request-body-cache% (setf %request-body-cache% (when (member (request-method request) +hunchentoot-methods-with-body+) @@ -230,7 +243,9 @@ the value of the Content-Type request header." ((string-equal "application/json" content-type) (jonathan:parse - (h:raw-post-data :request request :external-format :utf8 ))) ;TODO: don't hardcode utf8 + (h:raw-post-data :request request :external-format :utf8) + :as :plist + :keywords-to-read *allowed-keywords*)) (t ;; default case is to return a bytevector diff --git a/lazybones.lisp b/lazybones.lisp index 0fe323b..e9adc03 100644 --- a/lazybones.lisp +++ b/lazybones.lisp @@ -34,6 +34,11 @@ "Dynamic variable holding the an APP instance. Dynamically bound by RUN-ENDPOINT so that it is available if needed in request handlers.") +(defvar *allowed-keywords* nil + "Dynamic variable. Can be bound by handler functions to control which +keywords are read in while parsing request bodies. Should be used +when keyword bombing is a concern.") + (defvar *debugging* nil) ;;; HTTP-ERROR CONDITION @@ -340,7 +345,7 @@ applying HANDLER-FUNCTION slot of ENDPOINT to the ARGS list." (*response* response) (*app* app)) (setf (response-code) 200) - (if (request-authorized-p endpoint) + (if (request-authorized-p endpoint) (http-respond (apply (endpoint-request-handler endpoint) args)) (http-err 403)))) diff --git a/package.lisp b/package.lisp index 1a6e7bc..4ed5cdf 100644 --- a/package.lisp +++ b/package.lisp @@ -31,7 +31,10 @@ #:start-server #:stop-server #:canned-response - #:set-canned-response)) + #:set-canned-response + ;; special variables + #:*allowed-keywords* + )) ;; the symbols exported here are available for end users to use in the ;; building of their apps @@ -44,6 +47,7 @@ #:*request* #:*response* #:*debugging* + #:*allowed-keywords* #:http-error #:generate-app-documentation #:provision-app -- cgit v1.2.3