Message6352
Hi,
On 2019-02-17 15:50, John Rouillard wrote:
> In message <1550402207.92.0.371676542223.issue2551023@roundup.psfhosted.org>,
> =?utf-8?q?C=C3=A9dric_Krier?= writes:
> >I use the wsgi_handler instead of roundup-server. And I can not get
> >HTTP_X-REQUESTED-WITH set in environment because WSGI server convert all
> >'-' into '_'.
>
> What server are you using? That translation of '-' to _' is not
> right/supported according to mod_wsgi or wsgi docs. It also seriously
> breaks the compatibility with CGI.
I'm using ngnix which passes with fastcgi to flup WSGIServer which uses
RequestDispatcher.
> >So the X-Requested-With header becomes HTTP_X_REQUESTED_WITH. But
> >roundup-server use HTTP_X-REQUESTED-WITH key.
>
> HTTP_X-REQUESTED-WITH is the correct form as the header is: X-REQUESTED-WITH
>
> Do you see the same mangling with X-Forward-Host or other http
> headers?
Yes it is done for all headers with '-'.
> >I think roundup-server behavior should be normalized with other WSGI
> >server and not use '-' in HTTP_*.
> >I could not find in PEP3333 that '-' should be converted into '_' for
> >HTTP_. There is only a reference to server-defined variables.
> >
> >https://www.python.org/dev/peps/pep-3333/#environ-variables
>
> Wow that seems wsgi is seriously broken. It is not what is documented.
> >From mod_wsgi:
>
> https://modwsgi.readthedocs.io/en/develop/release-notes/version-4.3.0.html
>
> While it does not say that the - is preserved, not saying it's converted to _ would seem a massive oversight.
I have seen similar bug fix for django:
https://www.djangoproject.com/weblog/2015/jan/13/security/
An clearly the issue is that headers can collide when '-' is replaced by
'_'.
> Also:
>
> https://wsgi.readthedocs.io/en/latest/definitions.html
>
> says:
>
> HTTP_ Variables
>
> Variables corresponding to the client-supplied HTTP request
> headers (i.e., variables whose names begin with HTTP_). The
> presence or absence of these variables should correspond with the
> presence or absence of the appropriate HTTP header in the request.
>
> which is the same as in your cite of:
> https://www.python.org/dev/peps/pep-3333/#environ-variables
>
> The names for the http request headers are most definitely '-'
> separated. In cgi mode, the vars are precisely:
>
> HTTP_<uppercase version of http header field name>
>
> and that is exactly how the vars will be presented to the application.
Here is where nginx make this replacement:
for fastcgi:
https://trac.nginx.org/nginx/browser/nginx/src/http/modules/ngx_http_fastcgi_module.c#L947
for uwsgi:
https://trac.nginx.org/nginx/browser/nginx/src/http/modules/ngx_http_uwsgi_module.c#L940
So we have at least two implementation that does this replacement:
wsgiref and nginx. Even if it is not explicit in the standard, it is how
it is implemented. |
|
Date |
User |
Action |
Args |
2019-02-17 16:30:38 | ced | set | recipients:
+ ced, schlatterbeck |
2019-02-17 16:30:38 | ced | link | issue2551023 messages |
2019-02-17 16:30:38 | ced | create | |
|