From 8f0c538410f94e18146a3514ba2284af89cbcf59 Mon Sep 17 00:00:00 2001 From: Helmut Grohne Date: Wed, 12 Jan 2011 21:20:21 +0100 Subject: bug fix for StaticContent and CachingMiddleware PEP333 says that the headers list passed to start_response may be modified by servers or middlewares. In fact this happens in DigestAuthMiddleware. The StaticContent and CachingMiddleware classes did not take this into account and returned the same headers list multiple times which is wrong and can lead to denial of service. --- wsgitools/applications.py | 2 +- wsgitools/middlewares.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/wsgitools/applications.py b/wsgitools/applications.py index 63ed63c..8a02fe8 100644 --- a/wsgitools/applications.py +++ b/wsgitools/applications.py @@ -54,7 +54,7 @@ class StaticContent: start_response("501 Not Implemented", [("Content-length", str(len(resp)))]) return [resp] - start_response(self.status, self.headers) + start_response(self.status, list(self.headers)) if environ["REQUEST_METHOD"].upper() == "HEAD": return [] return self.content diff --git a/wsgitools/middlewares.py b/wsgitools/middlewares.py index 46a93f5..654f5db 100644 --- a/wsgitools/middlewares.py +++ b/wsgitools/middlewares.py @@ -260,7 +260,7 @@ class CachingMiddleware: if path in self.cache and self.cacheable(environ): cache_object = self.cache[path] if cache_object[0] + self.maxage >= now: - start_response(cache_object[1], cache_object[2]) + start_response(cache_object[1], list(cache_object[2])) return cache_object[3] else: del self.cache[path] @@ -272,7 +272,7 @@ class CachingMiddleware: return self.app(status, headers, exc_info) cache_object[1] = status cache_object[2] = headers - write = start_response(status, headers) + write = start_response(status, list(headers)) def modified_write(data): cache_object[3].append(data) write(data) -- cgit v1.2.3