-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relax HTTP method validation in UrlDispatcher. #1037
Relax HTTP method validation in UrlDispatcher. #1037
Conversation
Previously the validation only compared against "safe HTTP methods", now we validate against the allowed character-set defined in RFC 2616 section 5.1.1.
Okay so I got the object name wrong, the change was in AbstractRoute, not in UrlDispatcher. |
Cool! |
Hmm. After rethinking I've decided to remove The reason is: I don't want to expose yet another hook and don't want to document it. Fixed by df7b41b |
It's cool, it's just a habit of mine to separate this kind of logical step in case in the future additional checks not coverable by a single line is required. Out of curiosity, do you document "protected" methods as well? Although I realise the naming of the method does not indicate it being protected. |
Where does the client validation live by the way? As far as I can tell there's no such validation. I think there should be a request() method as well which allows the user to form his/her requests manually. Or did I miss this completely? |
What do these changes do?
This pull request changes the HTTP method validation procedure in AbstractRoute.
Previously only "safe HTTP methods" were allowed which made developing unusual
services communicating over HTTP with custom methods (such as WebDAV and UPnP)
impossible without monkey-patching.
The new method AbstractRoute.validate_method() matches the method against a regex compliant with the RFC 2616 specification of a "token".
Are there changes in behavior for the user?
The only change in behavior is what input raises a ValueError now, this has not been documented anywhere as far as I could tell hence no changes has been documented in the end-user API docs.
Related issue number
#951
Checklist
Previously the validation only compared against "safe HTTP methods",
now we validate against the allowed character-set defined in
RFC 2616 section 5.1.1.