Re: [Web-SIG] WSGI Amendments thoughts: the horror of charsets
ctypes.windll.kernel32.GetEnvironmentVariableW(u'PATH_INFO', ...) Hmm... it turns out: no. IIS appears to be mangling characters that are not in mbcs even *before* it puts the decoded value into the envvars. The same is true with isapi_wsgi, which is the only other WSGI adapter I know of for IIS. This gets the same mangled byte string from GetServerVariable as Python gets from the envvars, so it looks like this is a mistake IIS is making further up before it even hits the CGI handler. Maybe someone more familiar with ISAPI knows a better way to read PATH_INFO than GetServerVariable, but I can't see anything promising in MSDN. So it would seem to be impossible at the moment to have Unicode paths work under IIS at all. The ctypes approach could rescue bytes for the Apache/nt/Py2 combination (perhaps also from libc.getenv for Apache/posix/Py3), but then Apache already gives us REQUEST_URI which is a much easier workaround. There might be CGI servers for Windows where ctypes could serve some purpose, but I can't think of any currently in use other than the Big Two. In summary, to get the original submitted byte strings for PATH_INFO: Apache/nt/Py2 process REQUEST_URI Apache/posix/Py2 use PATH_INFO directly (or process REQUEST_URI) Apache/nt/Py3 encode PATH_INFO to ISO-8859-1 (or process REQUEST_URI) Apache/posix/Py3 process REQUEST_URI IIS/nt/Py2 decode PATH_INFO from mbcs, then encode to UTF-8 FAIL for characters not in current mbcs FAIL for non-UTF-8 input IIS/nt/Py3 encode PATH_INFO to UTF-8 FAIL for characters not in current mbcs FAIL for non-UTF-8 input wsgiref.simple_server/Py2 use PATH_INFO directly wsgiref.simple_server/Py3 remains to be seen, but at the moment encode PATH_INFO to UTF-8 FAIL for non-UTF-8 input cherrypy.wsgiserver/Py2 use PATH_INFO directly cherrypy.wsgiserver/Py3 remains to be seen, but at the moment encode PATH_INFO to UTF-8 FAIL for non-UTF-8 input -- And Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
Re: [Web-SIG] WSGI Amendments thoughts: the horror of charsets
Mark Hammond wrote: I don't think Python explicitly converts it - the CRT's ANSI version of environ is used Yes, it would be the CRT on Python 2.x. (Python 3.0 on non-NT does a conversion always using UTF-8, if I'm reading convertenviron right.) so the resulting strings should be encoded using the 'mbcs' encoding. What mangling do you see? Correct, it's characters unencodable in mbcs that are lost*. mbcs is never equivalent to UTF-8 (which would allow us to recover characters on IIS) or ISO-8859 (which would allow us to receover characters on Apache-for-Windows) so there's always heavy lossage. (* - replaced with ? or Windows's attempt to substitute something that looks vaguely like the original character.) win32api and ctypes would both let you call the Windows API. Ah! I had considered the win32 extensions but it's a bit of a dependency... I'd forgotten that we get ctypes for free in 2.5. So we'd be looking at: ctypes.windll.kernel32.GetEnvironmentVariableW(u'PATH_INFO', ...) when CPython 2.5+/NT is detected, right? That increases the number of situations in which we can feasibly recover URIs that are valid UTF-8 sequences (modulo the slash anyway). Doing the actual recovery still requires some server-sniffing though. What is IIS doing wrong here? It's not wrong as such. There are three reasonable choices for decoding header values before putting them in a Unicode environment, and the CGI spec, as it knows nothing about Unicode environment variables, fails to specify which: 1. ISO-8859-1 (which ensures bytes can be recovered) 2. UTF-8 (since most URIs are effectively UTF-8 today) 3. Configured system codepage (mbcs) Apache [with mod_cgi or mod_wsgi] decides on (1). IIS tries for (2), falling back to (3) on invalid sequences. The text concerning Python 3.0 in the WSGI Amendments page could be read as blessing Apache's behaviour. However wsgiref.simple_server currently also goes for (2), although that probably can't be considered canonical. I'd be interested to know what other WSGI servers do. -- And Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
Re: [Web-SIG] Revising environ['wsgi.input'].readline in the WSGI specification
Ian Bicking wrote: To resolve this, let's just not pass it over this time? +1 -- And Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
Re: [Web-SIG] WSGI Amendments thoughts: the horror of charsets
Ian Bicking wrote: As it is (in Python 2), you should do something like environ['PATH_INFO'].decode('utf8') and it should work. See the test cases in my original post: this doesn't work universally. On WinNT platforms PATH_INFO has already gone through a decode/encode cycle which almost always irretrievably mangles the value. My understanding of this suggestion is that latin-1 is a way of representing bytes as unicode. In other words, the values will be unicode, but that will simply be a lie. Yes, that would be a sensible approach, but it is not what is actually happening in any WSGI environment I have tested. For example wsgiref.simple_server decodes using UTF-8 not 8859-1 — or would do, if it were working. (It is currently broken in 3.0rc2; I put a hack in to get it running but I'm not really sure what the current status of simple_server in 3.0 is.) A lot of what you write about has to do with CGI, which is the only place WSGI interacts with os.environ. CGI is really an aspect of the CGI to WSGI adapter (like wsgiref.handlers.CGIHandler), and not the WSGI spec itself. Indeed, but we naturally have to take into account implementability on CGI. If a WSGI spec *requires* PATH_INFO to have been obtained using 8859-1 decoding — or UTF-8, which is the other sensible option given that most URIs today are UTF-8 — then there cannot be a fully-compliant CGI-to-WSGI wrapper. Perhaps it's not the big issue it was when WSGI was first getting off the ground, but IMO it's still important. Personally I'm more inclined to set up a policy on the WSGI server itself with respect to the encoding, and then use real unicode characters. I think we are stuck with Unicode environ at this point, given the CGI issue. But applications do need to know about the encoding in use, because they will (typically) be generating their own links. So an optional way to get that information to the application would be advantageous. I'm now of the opinion that the best way to do this is to standardise Apache's ‘REQUEST_URI’ as an optional environ item. This header is pre-URI-decoding, containing only %-sequences and not real high bytes, so it can be decoded to Unicode using any old charset without worry. An application wanting to support Unicode URIs (or encoded slashes in URIs*) could then sniff for REQUEST_URI and use it in preference to PATH_INFO where available. This is a bit more work for the application, but it should generally be handled transparently by a library/framework and supporting PATH_INFO in a portable fashion already has warts thanks to IIS's bugs, so the situation is not much worse than it already is. And of course we get support through mod_cgi and mod_wsgi automatically, so Graham doesn't have to do anything. :-) Graham Dumpleton wrote: I can't really remember what the outcome of the discussion was. Not too much outcome really, unfortunately! You concluded: there possibly still is an open question there on how encoding of non ascii characters works in practice. We just need to do some actual tests to see what happens and whether there is a problem. ...to which the answer is — judging by the results posted — probably “yes”, I'm afraid! -- And Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
Re: [Web-SIG] WSGI Amendments thoughts: the horror of charsets
Ian Bicking wrote: This is something messed up with CGI on NT, and whatever server you are using, and perhaps the CGI adapter (maybe there's a way to get the raw environment without any encoding, for example?) Python decodes the environ to its own copy (wrapped in os.environ) at interpreter startup time; there's no way to query the real ‘live’ environment that I know of. It'd require a C extension. Honestly I don't know if anyone is doing anything with WSGI and Python 3. I know Graham has done some work on mod_wsgi for 3.0, but no, I don't know anyone using it in anger. Is it worth submitting patches to simple_server to make it run on 3.0? Is it too late to include at this stage anyway? Shipping 3.0 with a non-functional wsgiref is a bit embarrassing. I assume there is some way to get at the bytes in the environment, if not then that is a Python 3 bug. There is not, and this appears to be deliberate. I think it might be feasible to support an encoded version of SCRIPT_NAME and PATH_INFO for WSGI 2.0 (creating entirely new key names, and I don't know of any particular standard to base those names on), moving from the two keys to a single REQUEST_URI is not feasible. That's certainly a possibility, but I feel it's easier to hitch a ride on the existing header, which despite being non-standard is still quite widely used. I guess you'd probably count segments, try to catch %2f (where the segments won't match up), and then double check that the decoded REQUEST_URI matches SCRIPT_NAME+PATH_INFO. I'm currently testing with just the segment counting. It's only necessary that the segments from SCRIPT_NAME are matched and stripped, and those are extremely unlikely to contain ‘%2F’ because: - there aren't many filesystems that can accept ‘/’ as a filename character. RISC OS is the only one I can think of, and it by convention swaps ‘/’ and ‘.’ to compensate as it is, so even there you couldn't use ‘%2F’; - there aren't many webservers that can map a file or alias to a path containing ‘%2F’; - no-one wants to mount a webapp alias at such a weird name — it's only in the section corresponding to PATH_INFO that ‘%2F’ might ever be of use in practice. In the worst case, many applications already know and can strip the URL at which they're mounted, but unless there's a legitimate ‘%2F’ in their SCRIPT_NAME it doesn't actually matter. frankly IIS is probably less relevant to most developers than CGI. Er... really? You and I may not favour it, but it's ≈35% of the world out there, not something we can afford to ignore IMO. So if IIS has problems with PATH_INFO, the WSGI adapter (be it CGI or otherwise) should be configured to fix those problems up front. What I'm saying is that neither Apache's nor IIS's behaviour can be considered clearly correct or wrong at this point, and there is no way a WSGI adapter living underneath them *can* fix up the differences. (There is an problem with PATH_INFO that a WSGI adapter *could* clear up, which is that IIS makes PATH_INFO the entire path including SCRIPT_NAME. I'm not sure whether it's worth fixing that up in the adapter layer though... it's possible some frameworks are already dealing with it, and might even be relying on it!) -- And Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
[Web-SIG] WSGI Amendments thoughts: the horror of charsets
It would be lovely if we could allow WSGI applications to reliably accept Unicode paths. That is to say, allow WSGI apps to have beautiful URLs like Wikipedia's, without requiring URL-rewriting magic. (Which is so highly server-specific, potentially unavailable to non-admin webmasters, and makes WSGI app deployment more difficult than it already is.) If we could reliably read the bytes the browser sends to us in the GET request that would be great, we could just decode those and be done with it. Unfortunately, that's not reliable, because: 1. thanks to an old wart in the CGI specification, %XX hex escapes are decoded before the character is put into the PATH_INFO environment variable; 2. the environment variables may be stored as Unicode. (1) on its own gives us the problem of not being able to distinguish a path-separator slash from an encoded %2F; a long-known problem but not one that greatly affects most people. But combined with (2) that means some other component must choose how to decode the bytes into Unicode characters. No standard currently specifies what encoding to use, it is not typically configuarable, and it's certainly not within reach of the WSGI application. My assumption is that most applications will want to end up with UTF-8-encoded URLs; other choices are certainly possible but as we move towards IRI they become less likely. This situation previously affected only Windows users, because NT environment variables are native Unicode. However, Python 3.0 specifies all environment variable access is through a Unicode wrapper, and gives no way to control how that automatic decoding is done, leaving everyone in the same boat. WSGI Amendments_1.0 includes a suggestion for Python 3.0 that environ should be decoded from the headers using HTTP standard encodings (i.e. latin-1 + RFC 2047), but unfortunately this doesn't quite work: 1. for many existing environments the decoding-from-headers charset is out of reach of the WSGI server/layer and may well not be ISO-8859-1. Even wsgiref doesn't currently use 8859-1 (see below). 2. RFC2047 is not applicable to HTTP headers, which are not really 822-family headers even though they look just like them. The sub-headers in eg. a multipart/form-data chunk *are* (probably) proper 822 headers so RFC2047 could apply, but those headers are already dealt with by the application or framework, not WSGI. HTTP 1.1 (RFC2616) does refer to RFC2047 as an encoding mechanism for TEXT and quoted-string, but this makes no sense as 2047 itself requires embedding in atom-based parsing sequences which those productions are not (quoted-strings are explicitly disallowed by 2047 itself). In any case no existing browser attempts to support RFC2047 encoding rules for any possible interpretation of what 2616 might mean. Something like Luís Bruno's ORIGINAL_PATH_INFO proposal (http://mail.python.org/pipermail/web-sig/2008-January/003124.html) would be worth looking at for this IMO. It may be of questionable usefulness if the only character affected is the slash, but it also happens to solve the Unicode problem. Obviously whatever it was called it would have to be an optional additional value in the WSGI environ, as pure CGI servers wouldn't be able to supply it. Conceivably it might also be possible to have a standardised mod_rewrite rule to make the variable also available to Apache CGI scripts, but still this is far from global availability. In the meantime I've been looking at how various combinations of servers deal with this issue, and in what circumstances an application or middleware can safely recover all possible Unicode input. 'Apache' refers to the (AFAICT-identical) behaviour of both mod_cgi and mod_wsgi; 'IIS' refers to IIS with CGI. *** Apache/Posix/Python2 OK. No problem here, it's byte-based all the way through. *** Apache/Posix/Python3: Dependent on the default encoding. Apache puts bytes into the envvars but Python takes them out as unicode. If the system default encoding happens to be the same as the encoding the WSGI application wanted we will be OK. Normally the app will want UTF-8; many Linux distributions do use UTF-8 as the default system encoding but there are plenty of distros (eg. Debian) and other Unixen that do not. In any case we are getting a nasty system dependency at deploy time that many webmasters will not be able to resolve. It is sometimes possible to recover mangled characters despite the wrong decoding having been applied. For example if the system encoding was ISO-8859-1 or another encoding that maps every byte to a unique Unicode character, we can encode the Unicode string back to its original bytes, and thence apply the decoding we actually wanted! If, on the other hand, it's something like ISO-8859-4, where not all high bytes are mapped at all, we'll be losing random characters... not good. *** Apache/NT/Python2 Always unrecoverable data loss.
Re: [Web-SIG] problem with wsgiref.util.request_uri and decoded uri
Manlio Perillo wrote: On the other hand, if the WSGI gateway *do* decode the uri, I can no more handle '/' in uri. Correct. CGI requires that '%2F' is decoded, and hence indistinguishable from '/' when it gets to the application. And WSGI inherits CGI's flaws for compatibility. request_uri is doing the right thing in assuming that if you got a '%40' in your PATH_INFO, it must originally have been a '%2540'. It is an irritating limitation, but so far not irritating enough for an optional workaround to have made its way into non-CGI-based WSGI servers. It may become a bigger irritation as we move to Py3K, and get stuck with decoded top-bit-set characters being turned into Unicode using the system encoding (which is likely to be wrong). Windows already suffers from similar problems as its environment variables are natively Unicode, and its system encoding is never UTF-8 (which is the most likely encoding for path parts). Where can I find informations about alternate encoding scheme? It's easy enough to roll your own. For example htmlform uses a scheme of encoding path parts to '+XX' instead of '%XX'. encode_re= re.compile('[^-_.!~*()\'0-9a-zA-Z]') decode_re= re.compile(r'\+([0-9a-zA-Z][0-9a-zA-Z])') def encode(s): return encode_re.sub(lambda m: '+%02X' % (ord(m.group())), s) def decode(s): decode_re.sub(lambda m: chr(int(m.group(1),16)), s) -- And Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
Re: [Web-SIG] WSGI, Python 3 and Unicode
James Y Knight wrote: In addition, I know of nobody who actually implements RFC 2047 decoding of http header values...nothing really uses it. (of course I don't know of all implementations out there.) Certainly no browser supports it, which makes the point moot for WSGI. Most browsers, when quoting a header parameter, simply encode using the previous page's charset and put quotes around it... even if the parameter has a quote or control codes in it. Ian wrote: Is this all compatible with os.environ in py3k? In 3.0a2 os.environ has Unicode strings for both keys and values. This is correct for Windows where environment variables are explicitly Unicode, but questionable (IMO) for Unix where they're really bytes that may or may not represent decodeable Unicode strings. SCRIPT_NAME/PATH_INFO This already causes problems in Windows CGI applications! Because these are passed in environment variables, IIS* has to decode the submitted bytes to Unicode first. It seems always to choose UTF-8 for this job, which I suppose is the least bad guess, but hardly infallible. (* - haven't tested this with Apache for Windows yet.) In Python 2.x, os.environ being byte strings, Python/the C library then has to encode them back to bytes, which I believe ends up using the system codepage. Since the system codepage is never UTF-8 on Windows this means not only that the bytes read back from eg. PATH_INFO are not the same as the original bytes submitted to the web server, but that if there are characters outside the system codepage submitted, they'll be unrecoverable. If os.environ remains Unicode in Unix and WSGI follows it (as it must if CGI-invoked WSGI is to continue working smoothly), webapps that try to allow for non-ASCII characters in URLs are likely to get some nasty deployment problems that depend on the system encoding setting, something that will be particularly troublesome for end-users to debug and fix. OTOH making the dictionaries reflect the underlying OS's conception of environment variables means users of os.environ and WSGI will have to be able to cope with both bytes and unicode, which would also be a big annoyance. In summary: urgh, this is all messy and 'orrible. -- And Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
Re: [Web-SIG] WSGI, Python 3 and Unicode
Adam Atlas [EMAIL PROTECTED] wrote: I'd say it would be best to only accept `bytes` objects +1. HTTP is inherently byte-based. Any translation between bytes and unicode characters should be done at a higher level, by whatever web framework is living above WSGI. -- And Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com