tobias/radicale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't sanitize WSGI script name

Browse Source
This commit is contained in:
Unrud 2022-01-15 22:32:37 +01:00
parent e3a982dbce
commit 6dee974b74
1 changed files with 6 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
radicale/app/__init__.py
View File

@ -183,19 +183,12 @@ class Application(ApplicationPartDelete, ApplicationPartHead,
logger.debug("Request headers:\n%s", logger.debug("Request headers:\n%s",
pprint.pformat(self._scrub_headers(environ))) pprint.pformat(self._scrub_headers(environ)))
# Let reverse proxies overwrite SCRIPT_NAME # SCRIPT_NAME is already removed from PATH_INFO, according to the
if "HTTP_X_SCRIPT_NAME" in environ: # WSGI specification.
# script_name must be removed from PATH_INFO by the client. # Reverse proxies can overwrite SCRIPT_NAME with X-SCRIPT-NAME header
unsafe_base_prefix = environ["HTTP_X_SCRIPT_NAME"] base_prefix = environ.get("HTTP_X_SCRIPT_NAME",
logger.debug("Script name overwritten by client: %r", environ.get("SCRIPT_NAME", ""))
unsafe_base_prefix) logger.debug("Base prefix: %r", base_prefix)
else:
# SCRIPT_NAME is already removed from PATH_INFO, according to the
# WSGI specification.
unsafe_base_prefix = environ.get("SCRIPT_NAME", "")
# Sanitize base prefix
base_prefix = pathutils.sanitize_path(unsafe_base_prefix).rstrip("/")
logger.debug("Sanitized script name: %r", base_prefix)
# Sanitize request URI (a WSGI server indicates with an empty path, # Sanitize request URI (a WSGI server indicates with an empty path,
# that the URL targets the application root without a trailing slash) # that the URL targets the application root without a trailing slash)
path = pathutils.sanitize_path(environ.get("PATH_INFO", "")) path = pathutils.sanitize_path(environ.get("PATH_INFO", ""))