Stopping CherryPy request processing in a Tool

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Stopping CherryPy request processing in a Tool

Johan Hartzenberg
In CherryPy I can prevent the Handler from running by setting cherrypy.request.handler = None in a Tool.  But how can I prevent other tools from running?

Specifically JS/AJAX likes to make an Options request without the Authorization (and other non-standard) header(s).

So I set my cors Tool to be before my Auth checking tool and as a workaround in my Auth checking tool I first check wither method is OPTIONS, if it is Options I pass, otherwise I expect the Authorization header.

The problem is this is not secure.  The actual static file is returned by another tool.  This is a standard tool (cherrypy static file tool) so I can't modify it.  Basically by sending an Options request a user might be able to read arbitrary data.  So How do I prevent any other Tools from running?

As it happens my testing shows that currently the Static Files tool doesn't actually return the image on an OPTIONS request.  I'm guessing this is intentional behaviour, but depending on this seems insecure.

--
You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/cherrypy-users.
For more options, visit https://groups.google.com/d/optout.