Opened 4 months ago

Last modified 3 months ago

#28473 new Bug

Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting

Reported by: Jonas Haag Owned by: nobody
Component: HTTP handling Version: 1.11
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Similar to #25598, SCRIPT_NAME should be considered for SECURE_REDIRECT_EXEMPT as well.

Generally speaking, there should be consistent handling of SCRIPT_NAME in the settings -- either consider it for all settings or for none.

Change History (3)

comment:1 Changed 3 months ago by Tim Graham

I guess the idea would be to use request.path_info instead of request.path in the SecurityMiddleware?

Can you elaborate on the use case and how the behavior will change? Could the change break existing working configurations?

comment:2 Changed 3 months ago by Jonas Haag

See #25598 for discussion of the use case (the setting should be independent from the subpath the application is mounted at). This breaks existing sites, yes. I haven't had a look into the implementation.

comment:3 Changed 3 months ago by Tim Graham

Component: UncategorizedHTTP handling
Triage Stage: UnreviewedAccepted
Note: See TracTickets for help on using tickets.
Back to Top