[issue21472] Fix wsgiref handling of absolute HTTP Request-URI
Robert Collins
report at bugs.python.org
Thu Sep 25 20:50:11 CEST 2014
Robert Collins added the comment:
FWIW we probably need to capture the original unaltered URL somewhere, but also ensure that PATH_INFO is always a relative path.
One should be able to implement a proxy in WSGI (because thats just another specialised app), and doing that today requires special handling depending on the WSGI container, which isn't great for consistency.
On security; Host header <-> url host mismatches occur when the host to which a request is sent != the url; this is expected only in the case of forward proxies: any other time it would indeed be a smuggling attack, trying to find mismatches between acls and access in servers - this is another reason to consolidate things so that wsgi apps can rely on urls looking consistent.
----------
nosy: +rbcollins
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue21472>
_______________________________________
More information about the Python-bugs-list
mailing list