[Web-SIG] Python 3.0 and WSGI 1.0.
Robert Brewer
fumanchu at aminus.org
Fri Apr 3 20:46:04 CEST 2009
James Y Knight wrote:
> On Apr 2, 2009, at 7:33 AM, Graham Dumpleton wrote:
>
> > """When running under Python 3, servers MUST provide CGI HTTP
> > variables as strings, decoded from the headers using HTTP standard
> > encodings (i.e. latin-1 + RFC 2047)"""
> >
> > Which is fair enough and basically what the RFCs say. At the moment
I
> > don't apply RFC 2047 rules in Python 3.0 support in mod_wsgi, so
just
> > need to do that.
>
> I'd really *really* like to recommend that any mention of RFC 2047 is
> stricken from the WSGI server requirements. I cannot imagine that
> decoding actually accomplishing anything other than opening security
> holes (think a filter in an upstream proxy that doesn't know how to do
> 2047-decoding passing something through that you now decode.)
>
> Also, you have to only do the decoding on TEXT words according to the
> spec, so the WSGI container now needs an HTTP header parser just in
> order to determine where it should decode RFC2047 words and where not
> to? I don't think so...
Something needs to decode RFC2047 words, at least until http-bis is
widespread. I'd be OK with making the app do it as needed (since only it
might know whether extension headers are token/quoted-string/TEXT).
Robert Brewer
fumanchu at aminus.org
More information about the Web-SIG
mailing list