[Web-SIG] URL quoting in WSGI (or the lack therof)
James Y Knight
foom at fuhm.net
Wed Jan 23 00:21:59 CET 2008
On Jan 22, 2008, at 5:33 PM, Luis Bruno wrote:
> A quick sanity check here: I think
> http://host/catalog/some%2Fthing/shallow/ is *meant* to have two
> nested levels: "some/thing" and "shallow". Is it obvious to you to
> interpret the URL as having three nested levels "some", "thing" and
> "shallow"? I ask because the first choice is very obvious to me; I'm
> treating the second one (current behaviour) as a bug to be fixed.
You're right, it certainly shouldn't be interpreted as the same URL as
some/thing/shallow. That is most likely an avenue for a security
exploit if your server does so, and the server should likely be fixed.
However, as there is simply no way to represent "some%2Fthing/
shallow/" with PATH_INFO, as specified in the CGI spec, the only
alternative is to reject the request. This is what the major servers
> Anyone else thinks it's a bug in WSGI too?
WSGI is based upon CGI and inherits this behavior. I suppose a WSGI-
specific fix could be done. However, there are good reasons for
inheriting behavior from CGI, most importantly, ease of integration.
Servers already implement this behavior for CGI SCGI FastCGI PHP, and
now, WSGI. None of the previous have seen it as important enough an
issue to change this behavior, and neither do I think it important
enough for WSGI.
So, no, I don't consider it a bug in WSGI. You could call it a bug in
CGI if you like. Good luck getting it changed.
More information about the Web-SIG