[Web-SIG] URL quoting in WSGI (or the lack therof)

[James Y Knight]

On Jan 22, 2008, at 5:33 PM, Luis Bruno wrote:
> A quick sanity check here: I think
> http://host/catalog/some%2Fthing/shallow/ is *meant* to have two
> nested levels: "some/thing" and "shallow". Is it obvious to you to
> interpret the URL as having three nested levels "some", "thing" and
> "shallow"? I ask because the first choice is very obvious to me; I'm
> treating the second one (current behaviour) as a bug to be fixed.

You're right, it certainly shouldn't be interpreted as the same URL as  
some/thing/shallow. That is most likely an avenue for a security  
exploit if your server does so, and the server should likely be fixed.  
However, as there is simply no way to represent "some%2Fthing/ 
shallow/" with PATH_INFO, as specified in the CGI spec, the only  
alternative is to reject the request. This is what the major servers  
do today.

> Anyone else thinks it's a bug in WSGI too?


WSGI is based upon CGI and inherits this behavior. I suppose a WSGI- 
specific fix could be done. However, there are good reasons for  
inheriting behavior from CGI, most importantly, ease of integration.  
Servers already implement this behavior for CGI SCGI FastCGI PHP, and  
now, WSGI. None of the previous have seen it as important enough an  
issue to change this behavior, and neither do I think it important  
enough for WSGI.

So, no, I don't consider it a bug in WSGI. You could call it a bug in  
CGI if you like. Good luck getting it changed.

James