[Web-SIG] WSGI and readline(size) support (was: WSGI type tolerance)
Robert Brewer
fumanchu at amor.org
Fri Sep 8 20:08:26 CEST 2006
Phillip J. Eby wrote:
> Oops. I just noticed that the ticket was about
> response headers, not CGI variables.
> ...
> I'll add:
> """Each ``header_name`` and ``header_value`` **must** be of StringType."""
Great! Thanks very much. I'll have CherryPy deny non-strings.
> I think I should also add some language regarding
> wsgiref in the stdlib, the importance of using
> wsgiref.validate, and a recommendation that servers
> not be any more "liberal in what they accept" than
> what the spec allows.
Thanks for the tip. I've just run CherryPy's test suite through the validator, and discovered a conflict that could bite a lot of people soon.
PEP 333 does not support the size argument to wsgi.input.readline(), stating that, "the optional "size" argument to readline() is not supported, as it may be complex for server authors to implement, and is not often used in practice."
However, Python 2.5rc1 has fixed a DoS bug in cgi.FieldStorage by using readline(1<<16). See http://sourceforge.net/tracker/?func=detail&aid=1112549&group_id=5470&atid=105470. CherryPy has had this patched for a year or so: http://www.cherrypy.org/ticket/127
Now that wsgiref is in the stdlib, we should really fix either it or the cgi module so that there's no conflict. It may be "complex for server authors to implement" readline(size) support, but it's even more complex for application authors to re-implement FieldStorage. ;) For what it's worth, there was zero work to have CherryPy support readline(size); it's automatically provided by socket.makefile.
Robert Brewer
System Architect
Amor Ministries
fumanchu at amor.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/web-sig/attachments/20060908/dcd7328f/attachment.htm
More information about the Web-SIG
mailing list