Opened 8 years ago

Last modified 7 years ago

#28473 new Bug

Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting

Reported by: Jonas Haag Owned by: nobody
Component: HTTP handling Version: 1.11
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no
Pull Requests:How to create a pull request

Description

Similar to #25598, SCRIPT_NAME should be considered for SECURE_REDIRECT_EXEMPT as well.

Generally speaking, there should be consistent handling of SCRIPT_NAME in the settings -- either consider it for all settings or for none.

According to the ticket's flags, the next step(s) to move this issue forward are:

  • To provide a patch by sending a pull request. Claim the ticket when you start working so that someone else doesn't duplicate effort. Before sending a pull request, review your work against the patch review checklist. Check the "Has patch" flag on the ticket after sending a pull request and include a link to the pull request in the ticket comment when making that update. The usual format is: [https://github.com/django/django/pull/#### PR].

Change History (3)

comment:1 by Tim Graham, 8 years ago

I guess the idea would be to use request.path_info instead of request.path in the SecurityMiddleware?

Can you elaborate on the use case and how the behavior will change? Could the change break existing working configurations?

comment:2 by Jonas Haag, 8 years ago

See #25598 for discussion of the use case (the setting should be independent from the subpath the application is mounted at). This breaks existing sites, yes. I haven't had a look into the implementation.

comment:3 by Tim Graham, 7 years ago

Component: UncategorizedHTTP handling
Triage Stage: UnreviewedAccepted
Note: See TracTickets for help on using tickets.
Back to Top