diff options
author | Helmut Grohne <helmut@subdivi.de> | 2011-01-12 21:20:21 +0100 |
---|---|---|
committer | Helmut Grohne <helmut@subdivi.de> | 2011-01-12 21:20:21 +0100 |
commit | 8f0c538410f94e18146a3514ba2284af89cbcf59 (patch) | |
tree | 9fa8a778f2241041fa73cc95e6bd7fd11aa10579 /wsgitools | |
parent | 5743d081855fb71db736e6319b1deb6363994c0c (diff) | |
download | wsgitools-8f0c538410f94e18146a3514ba2284af89cbcf59.tar.gz |
bug fix for StaticContent and CachingMiddleware
PEP333 says that the headers list passed to start_response may be modified by
servers or middlewares. In fact this happens in DigestAuthMiddleware. The
StaticContent and CachingMiddleware classes did not take this into account and
returned the same headers list multiple times which is wrong and can lead to
denial of service.
Diffstat (limited to 'wsgitools')
-rw-r--r-- | wsgitools/applications.py | 2 | ||||
-rw-r--r-- | wsgitools/middlewares.py | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/wsgitools/applications.py b/wsgitools/applications.py index 63ed63c..8a02fe8 100644 --- a/wsgitools/applications.py +++ b/wsgitools/applications.py @@ -54,7 +54,7 @@ class StaticContent: start_response("501 Not Implemented", [("Content-length", str(len(resp)))]) return [resp] - start_response(self.status, self.headers) + start_response(self.status, list(self.headers)) if environ["REQUEST_METHOD"].upper() == "HEAD": return [] return self.content diff --git a/wsgitools/middlewares.py b/wsgitools/middlewares.py index 46a93f5..654f5db 100644 --- a/wsgitools/middlewares.py +++ b/wsgitools/middlewares.py @@ -260,7 +260,7 @@ class CachingMiddleware: if path in self.cache and self.cacheable(environ): cache_object = self.cache[path] if cache_object[0] + self.maxage >= now: - start_response(cache_object[1], cache_object[2]) + start_response(cache_object[1], list(cache_object[2])) return cache_object[3] else: del self.cache[path] @@ -272,7 +272,7 @@ class CachingMiddleware: return self.app(status, headers, exc_info) cache_object[1] = status cache_object[2] = headers - write = start_response(status, headers) + write = start_response(status, list(headers)) def modified_write(data): cache_object[3].append(data) write(data) |