diff options
author | Graham Dumpleton <Graham.Dumpleton@gmail.com> | 2012-04-15 15:15:55 +1000 |
---|---|---|
committer | Graham Dumpleton <Graham.Dumpleton@gmail.com> | 2012-04-15 15:15:55 +1000 |
commit | 74330002076811f7428789ccee89943e2e6b1da5 (patch) | |
tree | 53da24e22a252b159adfde0022818df7295becbc | |
parent | 3d27492b65be671b1466cd03c061146c2e64c6bb (diff) | |
download | mod_wsgi-74330002076811f7428789ccee89943e2e6b1da5.tar.gz |
Remove HTTPS variable from WSGI environment ensuring that only wsgi.url_scheme is present. This is to stop use/abuse of this variable by non conformant WSGI applications.
-rw-r--r-- | mod_wsgi.c | 12 |
1 files changed, 12 insertions, 0 deletions
@@ -3589,6 +3589,18 @@ static PyObject *Adapter_environ(AdapterObject *self) } /* + * We remove the HTTPS variable because WSGI compliant + * applications shouldn't rely on it. Instead they should + * use wsgi.url_scheme. We do this even if SetEnv was + * used to set HTTPS from Apache configuration. That is + * we convert it into the correct variable and remove the + * original. + */ + + if (scheme) + PyDict_DelItemString(vars, "HTTPS"); + + /* * Setup log object for WSGI errors. Don't decrement * reference to log object as keep reference to it. */ |