Django & HTML POST security

For all coding issues - MODers and programmers, HTML and more.

Moderators: Jeff250, fliptw

Post Reply
User avatar
snoopy
DBB Benefactor
DBB Benefactor
Posts: 4435
Joined: Thu Sep 02, 1999 2:01 am

Django & HTML POST security

Post by snoopy »

I'm just getting going on this portion/code for my project, and I'd like to see what suggestions/resources you guys know of:

I need to get listings into my database in order for django to display them on the web page.
I also plan to build schedules based on the data in the DB.

There are handy dandy methods to download the data to an XML format, which I'm planning on using.

Different sets of listings can be associated with each different capture device.

Consider the following problem/method:

Currently, things are built so listings are individually downloaded for each capture device (regardless of repetition) because the settings are locally saved at the moment, and then are forwarded in XML form on to the web server via an HTTP POST - the web server will then parse the XML into the database, and account for things such as capture devices sharing channels, etc.

Here's the problem. I want to generate the HTTP POST using liburl2... Do you have any suggestions for where I should start to add a method to provide for some kind of authentication. If I write everything carefully, I think I can prevent anyone from injecting malicious code, but without authentication there's still the opportunity to prank by uploading bogus listings.

Any thoughts?

(Now, I need to write my code to parse the XML properly.)

[EDIT] I may also find that I want to change approaches. If I upload listings settings information once and make the server handle all of the listings grabbing, I can make it account for shared channels and such so that it only has to grab each thing once, and only generates traffic from the web to the server. This may be the better option for specifically the listings. The authentication aspect still applies.
Arch Linux x86-64, Openbox
"We'll just set a new course for that empty region over there, near that blackish, holeish thing. " Zapp Brannigan
User avatar
Jeff250
DBB Master
DBB Master
Posts: 6539
Joined: Sun Sep 05, 1999 2:01 am
Location: ❄️❄️❄️

Re: Django & HTML POST security

Post by Jeff250 »

Probably the simplest way is to hmac hash the data + timestamp (timestamp to prevent replay attacks of old data) with some shared secret as the key. Signing is implemented in django's signing module, so you could just ask it to sign a string like datetime.now().strftime(...) + ':' + xml_listing that you can then split(':', 1) the timestamp off from in the Web application. (If a suitable timestamp is already in the xml, then you can just check that instead.)

Even simpler you could just send a password as a POST parameter, but if you need to be robust to eavesdropping, then you'll need to use ssl with this approach.
User avatar
snoopy
DBB Benefactor
DBB Benefactor
Posts: 4435
Joined: Thu Sep 02, 1999 2:01 am

Re: Django & HTML POST security

Post by snoopy »

The password approach sounds like a good way to do it.

It makes sense.... and seems to be pretty easy to implement... there shouldn't really be a need to store it in anything other than plain text.
Arch Linux x86-64, Openbox
"We'll just set a new course for that empty region over there, near that blackish, holeish thing. " Zapp Brannigan
Post Reply