[Web-SIG] Request for Comments on upcoming WSGI Changes
And Clover
and-py at doxdesk.com
Tue Sep 22 18:07:14 CEST 2009
Graham wrote:
> Armin has fast asleep now, so my shift.
Heh. It's a multiple-man job keeping up with this monster thread!
> The URLs don't break.
Not in themselves. Just the language of the PEP implies that to fix them
up would contravene the spec:
>> The application MUST use [the encoding guess for PATH_INFO] to decode
>> the ``'QUERY_STRING'`` as well.
This isn't appropriate even as a SHOULD: the guessed encoding for
PATH_INFO is very likely to be wrong, in particular for cases where the
path was purely ASCII.
The application (or a library/framework acting on its behalf) should be
allowed to decode QUERY_STRING using whatever encoding it is expecting.
Disallowing using anything other than utf-8 (and iso-8859-1 in a very
unreliable way) makes it impossible to have queries in any other
encoding at all and still comply with the spec, which is undesirable.
If this sentence is removed, and `wsgi.uri_encoding` is guaranteed to be
one of:
a. definitive and reliable, or
b. missing/None
I'm pretty much happy. What I don't want is that half the future-WSGI
servers/gateways decide they have to provide *some* value for
`wsgi.uri_encoding` even if they're not quite sure if it's the right
one. Then we're back to square one.
> if it is known that an application or some subset of
> URLs will always be receiving a request as non UTF-8, then it should
> employ code in those cases to always transcode it to the required
> encoding.
Yep, agreed. I think the PEP should clarify that; at the moment it is
saying that a transcode is something you should only do for the
iso-8859-1 case, but if you actually followed that advice you'd get
highly inconsistent results. Perhaps we're at cross-purposes as to what
exactly consistutes 'middleware'...
> The other fallback is that a specific WSGI server could elect to
> provide an option to not use 'UTF-8' as the first choice for decoding
I really, *really* hope this does not happen. That just brings us more
deployment heartaches.
> Whether surrogateescape gives a better solution I have no idea at this
> point
Yeah... I'm highly suspicious of surrogateescape in a web context and
personally my code will be deliberately filtering all such characters
out. I can see it being a possible way to smuggle unwanted sequences
(such as overlongs) through filters, potentially causing endless
security problems. But we'll see...
--
And Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/
More information about the Web-SIG
mailing list