Opened 3 weeks ago

Closed 10 days ago

#36940 closed Bug (fixed)

Improve ASGI script prefix path_info handling

Reported by: Khadyot Takale Owned by: Khadyot Takale
Component: HTTP handling Version: 6.0
Severity: Normal Keywords: asgi script-prefix path-info
Cc: Khadyot Takale Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The current ASGIRequest.init uses str.removeprefix() to strip the script name from the request path to compute path_info. This is fragile because removeprefix is a pure string operation — it doesn't verify that the prefix is a proper path segment boundary.

For example, if script_name is /myapp and the path is /myapplication/page, removeprefix would incorrectly produce lication/page.

This patch replaces removeprefix with a check that ensures the script name is followed by / or is the exact path, before stripping it. This addresses the inline TODO comment.

Change History (6)

comment:1 by Khadyot Takale, 3 weeks ago

Has patch: set

comment:2 by Anurag Verma, 3 weeks ago

Owner: set to Anurag Verma
Status: newassigned

comment:3 by JaeHyuckSa, 3 weeks ago

Owner: changed from Anurag Verma to Khadyot Takale

comment:4 by Jacob Walls, 3 weeks ago

Easy pickings: unset
Needs tests: set
Patch needs improvement: set
Triage Stage: UnreviewedAccepted

comment:5 by Jacob Walls, 10 days ago

Needs tests: unset
Patch needs improvement: unset
Triage Stage: AcceptedReady for checkin

comment:6 by Jacob Walls <jacobtylerwalls@…>, 10 days ago

Resolution: fixed
Status: assignedclosed

In b33c31d:

Fixed #36940 -- Fixed script name edge case in ASGIRequest.path_info.

Paths that happened to begin with the script name were inappropriately
stripped, instead of checking that script name preceded a slash.

Note: See TracTickets for help on using tickets.
Back to Top