[Web-SIG] urllib.unquote in paste.httpserver prevents slashes in path segments

Florian Friesdorf flo at chaoflow.net
Fri Mar 18 10:36:27 CET 2011 

On Thu, 17 Mar 2011 15:10:56 -0500, Ian Bicking <ianb at colorstudy.com> wrote:
> It's implied by WSGI itself that the path be unquoted; there's no fix short
> of changing the specification.

What is WSGI's solution for path segments containing slashes?

> On Thu, Mar 17, 2011 at 1:10 PM, Florian Friesdorf <flo at chaoflow.net> wrote:
> 
> >
> > I think paste.httpserver.WSGIHandlerMixin.wsgi_setup should not
> > urllib.unquote the path [1] before setting it in the wsgi environment
> > [2]. The only pre-processing performed on the path between [1] and [2]
> > is concerned with slashes '/'. By urllib.unquoting it is not possible to
> > have urllib.quoted slashes within one path segment.
> >
> > At least pyramid without routing fully relies on
> > ``environ['PATH_INFO']`` [3]; by commenting [1] I succeeded to have
> > slashes in path segments, they are handle by pyramid in [4]f.
> >
> > However, webob.request.BaseRequest would need to be adjusted wherever
> > PATH_INFO from the environment is used (e.g [5]).
> >
> > Reasoning: The path stored in environ['PATH_INFO'] is still a path,
> > therefore it must not be urllib.unquoted, the unquoting must happen
> > after the path is split up in segments ([4]).
> >
> > [1]
> > https://bitbucket.org/ianb/paste/src/4f5cfde87603/paste/httpserver.py#cl-180
> > [2]
> > https://bitbucket.org/ianb/paste/src/4f5cfde87603/paste/httpserver.py#cl-217
> > [3]
> > https://github.com/Pylons/pyramid/blob/master/pyramid/traversal.py#L594
> > [4]
> > https://github.com/Pylons/pyramid/blob/master/pyramid/traversal.py#L495
> > [5]
> > https://bitbucket.org/ianb/webob/src/c0bb5309cfca/webob/request.py#cl-265
> >
> > --
> > Florian Friesdorf <flo at chaoflow.net>
> >  GPG FPR: 7A13 5EEE 1421 9FC2 108D  BAAF 38F8 99A3 0C45 F083
> > Jabber/XMPP: flo at chaoflow.net
> > IRC: chaoflow on freenode,ircnet,blafasel,OFTC
> >
> > _______________________________________________
> > Web-SIG mailing list
> > Web-SIG at python.org
> > Web SIG: http://www.python.org/sigs/web-sig
> > Unsubscribe:
> > http://mail.python.org/mailman/options/web-sig/ianb%40colorstudy.com
> >
> >
Non-text part: text/html

-- 
Florian Friesdorf <flo at chaoflow.net>
  GPG FPR: 7A13 5EEE 1421 9FC2 108D  BAAF 38F8 99A3 0C45 F083
Jabber/XMPP: flo at chaoflow.net
IRC: chaoflow on freenode,ircnet,blafasel,OFTC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/web-sig/attachments/20110318/72a44716/attachment.pgp>

More information about the Web-SIG mailing list