Hi,

On 2019-02-17 15:50, John Rouillard wrote:
> In message <1550402207.92.0.371676542223.issue2551023@roundup.psfhosted.org>,
> =?utf-8?q?C=C3=A9dric_Krier?= writes:
> >I use the wsgi_handler instead of roundup-server. And I can not get
> >HTTP_X-REQUESTED-WITH set in environment because WSGI server convert all
> >'-' into '_'.
> 
> What server are you using? That translation of '-' to _' is not
> right/supported according to mod_wsgi or wsgi docs. It also seriously
> breaks the compatibility with CGI.

I'm using ngnix which passes with fastcgi to flup WSGIServer which uses
RequestDispatcher.

> >So the X-Requested-With header becomes HTTP_X_REQUESTED_WITH. But
> >roundup-server use HTTP_X-REQUESTED-WITH key.
> 
> HTTP_X-REQUESTED-WITH is the correct form as the header is: X-REQUESTED-WITH
> 
> Do you see the same mangling with X-Forward-Host or other http
> headers?

Yes it is done for all headers with '-'.

> >I think roundup-server behavior should be normalized with other WSGI
> >server and not use '-' in HTTP_*.
> >I could not find in PEP3333 that '-' should be converted into '_' for
> >HTTP_. There is only a reference to server-defined variables.
> >
> >https://www.python.org/dev/peps/pep-3333/#environ-variables
> 
> Wow that seems wsgi is seriously broken. It is not what is documented.
> >From mod_wsgi:
> 
>   https://modwsgi.readthedocs.io/en/develop/release-notes/version-4.3.0.html
> 
> While it does not say that the - is preserved, not saying it's converted to _ would seem a massive oversight.

I have seen similar bug fix for django:
https://www.djangoproject.com/weblog/2015/jan/13/security/
An clearly the issue is that headers can collide when '-' is replaced by
'_'.

> Also:
> 
>   https://wsgi.readthedocs.io/en/latest/definitions.html
> 
> says:
> 
>   HTTP_ Variables
> 
>     Variables corresponding to the client-supplied HTTP request
>     headers (i.e., variables whose names begin with HTTP_). The
>     presence or absence of these variables should correspond with the
>     presence or absence of the appropriate HTTP header in the request.
> 
> which is the same as in your cite of:
>    https://www.python.org/dev/peps/pep-3333/#environ-variables
> 
> The names for the http request headers are most definitely '-'
> separated. In cgi mode, the vars are precisely:
> 
>   HTTP_<uppercase version of http header field name>
> 
> and that is exactly how the vars will be presented to the application.

Here is where nginx make this replacement:

for fastcgi:
https://trac.nginx.org/nginx/browser/nginx/src/http/modules/ngx_http_fastcgi_module.c#L947

for uwsgi:
https://trac.nginx.org/nginx/browser/nginx/src/http/modules/ngx_http_uwsgi_module.c#L940

So we have at least two implementation that does this replacement:
wsgiref and nginx. Even if it is not explicit in the standard, it is how
it is implemented.