Opened 7 years ago
Last modified 7 years ago
#28473 new Bug
Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting
| Reported by: | Jonas Haag | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | 1.11 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Similar to #25598, SCRIPT_NAME should be considered for SECURE_REDIRECT_EXEMPT as well.
Generally speaking, there should be consistent handling of SCRIPT_NAME in the settings -- either consider it for all settings or for none.
Change History (3)
comment:1 by , 7 years ago
comment:2 by , 7 years ago
See #25598 for discussion of the use case (the setting should be independent from the subpath the application is mounted at). This breaks existing sites, yes. I haven't had a look into the implementation.
comment:3 by , 7 years ago
| Component: | Uncategorized → HTTP handling |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
Note:
See TracTickets
for help on using tickets.
I guess the idea would be to use
request.path_infoinstead ofrequest.pathin the SecurityMiddleware?Can you elaborate on the use case and how the behavior will change? Could the change break existing working configurations?