[Django] #28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting

9 views
Skip to first unread message

Django

unread,
Aug 7, 2017, 8:21:51 AM8/7/17
to django-...@googlegroups.com
#28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting
-----------------------------------------+------------------------
Reporter: Jonas Haag | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
Similar to #25598, `SCRIPT_NAME` should be considered for
`SECURE_REDIRECT_EXEMPT` as well.

Generally speaking, there should be consistent handling of `SCRIPT_NAME`
in the settings -- either consider it for all settings or for none.

--
Ticket URL: <https://code.djangoproject.com/ticket/28473>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Aug 10, 2017, 10:07:29 AM8/10/17
to django-...@googlegroups.com
#28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting
-------------------------------+--------------------------------------

Reporter: Jonas Haag | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Severity: Normal | Resolution:

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------

Comment (by Tim Graham):

I guess the idea would be to use `request.path_info` instead of
`request.path` in the
[https://github.com/django/django/blob/5cb7619995bd8df2969d4e92984768a4f14af89b/django/middleware/security.py#L21
SecurityMiddleware]?

Can you elaborate on the use case and how the behavior will change? Could
the change break existing working configurations?

--
Ticket URL: <https://code.djangoproject.com/ticket/28473#comment:1>

Django

unread,
Aug 10, 2017, 10:52:34 AM8/10/17
to django-...@googlegroups.com
#28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting
-------------------------------+--------------------------------------

Reporter: Jonas Haag | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Severity: Normal | Resolution:

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------

Comment (by Jonas Haag):

See #25598 for discussion of the use case (the setting should be
independent from the subpath the application is mounted at). This breaks
existing sites, yes. I haven't had a look into the implementation.

--
Ticket URL: <https://code.djangoproject.com/ticket/28473#comment:2>

Django

unread,
Aug 24, 2017, 10:51:10 AM8/24/17
to django-...@googlegroups.com
#28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting
-------------------------------+------------------------------------

Reporter: Jonas Haag | Owner: nobody
Type: Bug | Status: new
Component: HTTP handling | Version: 1.11
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Changes (by Tim Graham):

* component: Uncategorized => HTTP handling
* stage: Unreviewed => Accepted


--
Ticket URL: <https://code.djangoproject.com/ticket/28473#comment:3>

Reply all
Reply to author
Forward
0 new messages