Remove HTTPS variable from WSGI environment ensuring that only wsgi.url_scheme is present. This is to stop use/abuse of this variable by non conformant WSGI applications.

author: Graham Dumpleton <Graham.Dumpleton@gmail.com> 2012-04-15 15:15:55 +1000
committer: Graham Dumpleton <Graham.Dumpleton@gmail.com> 2012-04-15 15:15:55 +1000
commit: 74330002076811f7428789ccee89943e2e6b1da5 (patch)
tree: 53da24e22a252b159adfde0022818df7295becbc
parent: 3d27492b65be671b1466cd03c061146c2e64c6bb (diff)
download: mod_wsgi-74330002076811f7428789ccee89943e2e6b1da5.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/mod_wsgi.c b/mod_wsgi.c
index 221ae93..a75d36c 100644
--- a/mod_wsgi.c
+++ b/mod_wsgi.c
@@ -3589,6 +3589,18 @@ static PyObject *Adapter_environ(AdapterObject *self)
     }
 
     /*
+     * We remove the HTTPS variable because WSGI compliant
+     * applications shouldn't rely on it. Instead they should
+     * use wsgi.url_scheme. We do this even if SetEnv was
+     * used to set HTTPS from Apache configuration. That is
+     * we convert it into the correct variable and remove the
+     * original.
+     */
+
+    if (scheme)
+        PyDict_DelItemString(vars, "HTTPS");
+
+    /*
      * Setup log object for WSGI errors. Don't decrement
      * reference to log object as keep reference to it.
      */
author	Graham Dumpleton <Graham.Dumpleton@gmail.com>	2012-04-15 15:15:55 +1000
committer	Graham Dumpleton <Graham.Dumpleton@gmail.com>	2012-04-15 15:15:55 +1000
commit	74330002076811f7428789ccee89943e2e6b1da5 (patch)
tree	53da24e22a252b159adfde0022818df7295becbc
parent	3d27492b65be671b1466cd03c061146c2e64c6bb (diff)
download	mod_wsgi-74330002076811f7428789ccee89943e2e6b1da5.tar.gz