Hi, I couldn't find discussion of this in the archives, but it seems that the URL Reconstruction section in PEP 3333 is recommending poor practice.
The issue is the suggested use of the HTTP Host header. Since this value
is client-supplied, a malicious user could craft an exploit in
applications that use this algorithm for cache poisoning, cross-site
scripting (XSS) and possibly other attacks. Consider two examples:
Host: <script>alert('XSS')</script>
Host: evil.com
The value of the header can be URL-encoded, i.e.:
url += quote(environ['HTTP_HOST'])
However this helps only for the first case, but not the second. Hence it
really should not be used at all.
Depending on the WSGI server implementation, there might be an argument
to URL-encode the SERVER_NAME value, as well.
//Mike
--
⊨ Michael Gratton, Percept Wrangler.
⚙ <http://mjog.vee.net/>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: https://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
