Patchwork D2731: hgweb: validate WSGI environment dict

login
register
mail settings
Submitter phabricator
Date March 9, 2018, 1:06 a.m.
Message ID <differential-rev-PHID-DREV-nkuyjqgvymiv4xzsg2fw-req@phab.mercurial-scm.org>
Download mbox | patch
Permalink /patch/29136/
State Superseded
Headers show

Comments

phabricator - March 9, 2018, 1:06 a.m.
indygreg created this revision.
Herald added a subscriber: mercurial-devel.
Herald added a reviewer: hg-reviewers.

REVISION SUMMARY
  The wsgiref.validate module contains useful functions for validating
  that various WSGI data structures are proper.
  
  This commit adds validation of the environment dict to our built-in
  HTTP server, which turns an HTTP request into an environment dict.
  
  The check discovered that we weren't always setting QUERY_STRING,
  which would cause the cgi module to fall back to sys.argv. So we
  change things to always set QUERY_STRING.
  
  The check passes on Python 2 and 3.

REPOSITORY
  rHG Mercurial

REVISION DETAIL
  https://phab.mercurial-scm.org/D2731

AFFECTED FILES
  mercurial/hgweb/server.py

CHANGE DETAILS




To: indygreg, #hg-reviewers
Cc: mercurial-devel

Patch

diff --git a/mercurial/hgweb/server.py b/mercurial/hgweb/server.py
--- a/mercurial/hgweb/server.py
+++ b/mercurial/hgweb/server.py
@@ -13,6 +13,7 @@ 
 import socket
 import sys
 import traceback
+import wsgiref.validate
 
 from ..i18n import _
 
@@ -128,8 +129,7 @@ 
         env[r'PATH_INFO'] = pycompat.sysstr(path[len(self.server.prefix):])
         env[r'REMOTE_HOST'] = self.client_address[0]
         env[r'REMOTE_ADDR'] = self.client_address[0]
-        if query:
-            env[r'QUERY_STRING'] = query
+        env[r'QUERY_STRING'] = query or r''
 
         if pycompat.ispy3:
             if self.headers.get_content_type() is None:
@@ -166,6 +166,8 @@ 
                                               socketserver.ForkingMixIn)
         env[r'wsgi.run_once'] = 0
 
+        wsgiref.validate.check_environ(env)
+
         self.saved_status = None
         self.saved_headers = []
         self.length = None