Always sanitize request URI
Do no rely on the HTTP server
This commit is contained in:
parent
ee095a463d
commit
780cecc0f2
@ -254,21 +254,23 @@ class Application(object):
|
|||||||
headers = pprint.pformat(self.headers_log(environ))
|
headers = pprint.pformat(self.headers_log(environ))
|
||||||
log.LOGGER.debug("Request headers:\n%s" % headers)
|
log.LOGGER.debug("Request headers:\n%s" % headers)
|
||||||
|
|
||||||
|
# Strip base_prefix from request URI
|
||||||
base_prefix = config.get("server", "base_prefix")
|
base_prefix = config.get("server", "base_prefix")
|
||||||
if environ["PATH_INFO"].startswith(base_prefix):
|
if environ["PATH_INFO"].startswith(base_prefix):
|
||||||
# Sanitize request URI
|
environ["PATH_INFO"] = environ["PATH_INFO"][len(base_prefix):]
|
||||||
environ["PATH_INFO"] = self.sanitize_uri(
|
|
||||||
"/%s" % environ["PATH_INFO"][len(base_prefix):])
|
|
||||||
log.LOGGER.debug("Sanitized path: %s", environ["PATH_INFO"])
|
|
||||||
elif config.get("server", "can_skip_base_prefix"):
|
elif config.get("server", "can_skip_base_prefix"):
|
||||||
log.LOGGER.debug(
|
log.LOGGER.debug(
|
||||||
"Skipped already sanitized path: %s", environ["PATH_INFO"])
|
"Prefix already stripped from path: %s", environ["PATH_INFO"])
|
||||||
else:
|
else:
|
||||||
# Request path not starting with base_prefix, not allowed
|
# Request path not starting with base_prefix, not allowed
|
||||||
log.LOGGER.debug(
|
log.LOGGER.debug(
|
||||||
"Path not starting with prefix: %s", environ["PATH_INFO"])
|
"Path not starting with prefix: %s", environ["PATH_INFO"])
|
||||||
environ["PATH_INFO"] = None
|
environ["PATH_INFO"] = None
|
||||||
|
|
||||||
|
# Sanitize request URI
|
||||||
|
environ["PATH_INFO"] = self.sanitize_uri(environ["PATH_INFO"])
|
||||||
|
log.LOGGER.debug("Sanitized path: %s", environ["PATH_INFO"])
|
||||||
|
|
||||||
path = environ["PATH_INFO"]
|
path = environ["PATH_INFO"]
|
||||||
|
|
||||||
# Get function corresponding to method
|
# Get function corresponding to method
|
||||||
|
Loading…
x
Reference in New Issue
Block a user