* FAQ    * Search  * Register * Login 
Active topics
Unanswered topics

All times are UTC-06:00



Post new topic  Reply to topic  [ 3 posts ] 
Author Message
 Post subject: Django & HTML POST security
PostPosted: Tue Apr 17, 2012 8:09 pm 
Offline
DBB Benefactor
DBB Benefactor
User avatar

Joined: Thu Sep 02, 1999 2:01 am
Posts: 4434
I'm just getting going on this portion/code for my project, and I'd like to see what suggestions/resources you guys know of:

I need to get listings into my database in order for django to display them on the web page.
I also plan to build schedules based on the data in the DB.

There are handy dandy methods to download the data to an XML format, which I'm planning on using.

Different sets of listings can be associated with each different capture device.

Consider the following problem/method:

Currently, things are built so listings are individually downloaded for each capture device (regardless of repetition) because the settings are locally saved at the moment, and then are forwarded in XML form on to the web server via an HTTP POST - the web server will then parse the XML into the database, and account for things such as capture devices sharing channels, etc.

Here's the problem. I want to generate the HTTP POST using liburl2... Do you have any suggestions for where I should start to add a method to provide for some kind of authentication. If I write everything carefully, I think I can prevent anyone from injecting malicious code, but without authentication there's still the opportunity to prank by uploading bogus listings.

Any thoughts?

(Now, I need to write my code to parse the XML properly.)

[EDIT] I may also find that I want to change approaches. If I upload listings settings information once and make the server handle all of the listings grabbing, I can make it account for shared channels and such so that it only has to grab each thing once, and only generates traffic from the web to the server. This may be the better option for specifically the listings. The authentication aspect still applies.

_________________
Arch Linux x86-64, Openbox
"We'll just set a new course for that empty region over there, near that blackish, holeish thing. " Zapp Brannigan


Top
   
 Post subject: Re: Django & HTML POST security
PostPosted: Tue Apr 17, 2012 9:04 pm 
Offline
DBB Master
DBB Master
User avatar

Joined: Sun Sep 05, 1999 2:01 am
Posts: 6377
Location: ☃☃☃
Probably the simplest way is to hmac hash the data + timestamp (timestamp to prevent replay attacks of old data) with some shared secret as the key. Signing is implemented in django's signing module, so you could just ask it to sign a string like datetime.now().strftime(...) + ':' + xml_listing that you can then split(':', 1) the timestamp off from in the Web application. (If a suitable timestamp is already in the xml, then you can just check that instead.)

Even simpler you could just send a password as a POST parameter, but if you need to be robust to eavesdropping, then you'll need to use ssl with this approach.


Top
   
 Post subject: Re: Django & HTML POST security
PostPosted: Wed Apr 18, 2012 11:11 am 
Offline
DBB Benefactor
DBB Benefactor
User avatar

Joined: Thu Sep 02, 1999 2:01 am
Posts: 4434
The password approach sounds like a good way to do it.

It makes sense.... and seems to be pretty easy to implement... there shouldn't really be a need to store it in anything other than plain text.

_________________
Arch Linux x86-64, Openbox
"We'll just set a new course for that empty region over there, near that blackish, holeish thing. " Zapp Brannigan


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 3 posts ] 

All times are UTC-06:00


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  



Descent'rs have piloted these pages
 
The layout and contents contained within this site are © DescentBB.net 1997-2006.
Descent, Descent II are © Parallax Software Corporation.
Descent III is Outrage Entertainment.
Descent is a Trademark of Interplay Productions.

Miner Wars™ is trademark of Keen Software House s. r. o.
.


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group