Hi Server team,

could you, please, take a look into the following lines in wgsi.py:

    def build_environ(self, scope, body):
        ...
        environ = {
            ...
            "SCRIPT_NAME": scope.get("root_path", 
"").encode("utf8").decode("latin1"),
            "PATH_INFO": scope["path"].encode("utf8").decode("latin1"),
            "QUERY_STRING": scope["query_string"].decode("ascii"),
            ...
        }
    ...

there is a concern around encode and decode non validated data that caught our 
attention.
could you give us your feedback if you think that it is possible that someone 
could
use malicious data in order to cause damage to the operation? (maybe some sort 
of data
garbage in http headers)

thank you very much.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1953173

Title:
  [MIR] python-asgiref

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-asgiref/+bug/1953173/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to