> If it's displaying the environment in an error message, it has to > escape it to avoid security vulnerabilities. Otherwise a cracker can > force an exception and put malicious Javascript in the query string > (which would be displayed as part of the environment).
I see. I will dig around and try to understand the flow more. I still have questions, but I'll see if I can figure it out before asking. > Why does pymongo.database return a useless value for unknown > attributes? Perhaps this is a bug in PyMongo. I'm not sure what > ``Collection(self.db, name)`` means, but if a property is not > specifically defined it should raise AttributeError. Otherwise it > will throw off not only WebOb but all analysis/introspection tools. I think it is like that as a convenience feature. It strikes me as a little odd as well. In MongoDB, a collection is somewhat analogous to a RDBMS table. A table stores records, a mongo collection stores json-ish documents. For example, you may have a 'users' collection, 'photos' collection etc. The __getattr__ creates the collection if it did not already exist, or returns the existing collection. example, db = Database() db.users.save(...) db.random_collection.save(...) # Equivalent to this form - more explicit users = Collection(db, 'users') users.save(...) random_collection = Collection(db, 'random_collection') random_collection.save(...) Thanks for your help! On Sep 27, 2:03 pm, Mike Orr <[email protected]> wrote: > On Sun, Sep 27, 2009 at 8:18 AM, Chris <[email protected]> wrote: > > > I see. Thanks for the info about __html__. > > >> I didn't know WebOb itself also did it. > > It only seems to do it on an HTTP Redirection. In webob.exc, > > _make_body(self, environ, escape) it loops over environ, calling > > escape on any values. (i'm still not exactly sure why). > > If it's displaying the environment in an error message, it has to > escape it to avoid security vulnerabilities. Otherwise a cracker can > force an exception and put malicious Javascript in the query string > (which would be displayed as part of the environment). > > > > >> Or is it just returning something for all .__getattr__ calls > >> regardless of value? > > > pymongo.database instance always returns a collection object, > > regardless of the attr name. The collection object is not callable, > > (well actually it defines __call__, but its implementation throws an > > exception immediately on purpose). The pymongo database __getattr__ > > looks like this > > > # in pymongo database > > def __getattr__(self, name): > > return Collection(self.db, name) > > > Ok, good to know about the callable deprecation. It looks like I may > > just subclass pymongo.database and override its __getattr__ to check > > for __html__. That doesn't feel very clean, but it'll work. > > It sounds like the best solution. Sometimes you have to make kludges > like this when two unrelated libraries make contradictory assumptions. > Fortunately pymongo.database is overridable. > > Why does pymongo.database return a useless value for unknown > attributes? Perhaps this is a bug in PyMongo. I'm not sure what > ``Collection(self.db, name)`` means, but if a property is not > specifically defined it should raise AttributeError. Otherwise it > will throw off not only WebOb but all analysis/introspection tools. > > -- > Mike Orr <[email protected]> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
