[Django] #28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting

34 views
Skip to first unread message

Django

unread,
Aug 7, 2017, 8:21:51 AM8/7/17
to django-...@googlegroups.com
#28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting
-----------------------------------------+------------------------
Reporter: Jonas Haag | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
Similar to #25598, `SCRIPT_NAME` should be considered for
`SECURE_REDIRECT_EXEMPT` as well.

Generally speaking, there should be consistent handling of `SCRIPT_NAME`
in the settings -- either consider it for all settings or for none.

--
Ticket URL: <https://code.djangoproject.com/ticket/28473>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Aug 10, 2017, 10:07:29 AM8/10/17
to django-...@googlegroups.com
#28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting
-------------------------------+--------------------------------------

Reporter: Jonas Haag | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Severity: Normal | Resolution:

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------

Comment (by Tim Graham):

I guess the idea would be to use `request.path_info` instead of
`request.path` in the
[https://github.com/django/django/blob/5cb7619995bd8df2969d4e92984768a4f14af89b/django/middleware/security.py#L21
SecurityMiddleware]?

Can you elaborate on the use case and how the behavior will change? Could
the change break existing working configurations?

--
Ticket URL: <https://code.djangoproject.com/ticket/28473#comment:1>

Django

unread,
Aug 10, 2017, 10:52:34 AM8/10/17
to django-...@googlegroups.com
#28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting
-------------------------------+--------------------------------------

Reporter: Jonas Haag | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Severity: Normal | Resolution:

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------

Comment (by Jonas Haag):

See #25598 for discussion of the use case (the setting should be
independent from the subpath the application is mounted at). This breaks
existing sites, yes. I haven't had a look into the implementation.

--
Ticket URL: <https://code.djangoproject.com/ticket/28473#comment:2>

Django

unread,
Aug 24, 2017, 10:51:10 AM8/24/17
to django-...@googlegroups.com
#28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting
-------------------------------+------------------------------------

Reporter: Jonas Haag | Owner: nobody
Type: Bug | Status: new
Component: HTTP handling | Version: 1.11
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Changes (by Tim Graham):

* component: Uncategorized => HTTP handling
* stage: Unreviewed => Accepted


--
Ticket URL: <https://code.djangoproject.com/ticket/28473#comment:3>

Django

unread,
May 20, 2026, 9:00:24 AMMay 20
to django-...@googlegroups.com
#28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting
-------------------------------+------------------------------------
Reporter: Jonas Haag | Owner: nobody
Type: Bug | Status: new
Component: HTTP handling | Version: 1.11
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Comment (by Sniom):

I've got the same use case :
I set `SCRIPT_NAME` to "/some_script_name".

At first I wanted http://url.com/some_script_name/exempt1 and
http://url.com/some_script_name/exempt2 to be served via http.
So I set `SECURE_REDIRECT_EXEMPT=[r"^exempt1$", "^exempt2$""]`

It took me some time to figure out that `SECURE_REDIRECT_EXEMPT` was not
taking into account `SCRIPT_NAME`
I had to modify `SECURE_REDIRECT_EXEMPT` to
`[r"^some_script_name/exempt1$", r"^some_script_name/exempt2$"]`

Seems to me using `request.path_info` rather than `request.path` would do
the trick.
But changing that would break existing sites using `SCRIPT_NAME` +
`SECURE_REDIRECT_EXEMPT`

Should we at least document this strange behaviour in
https://docs.djangoproject.com/en/6.0/ref/settings/#secure-redirect-exempt
?

(I am using django version 6.0.5)
--
Ticket URL: <https://code.djangoproject.com/ticket/28473#comment:4>

Django

unread,
May 27, 2026, 4:42:06 AMMay 27
to django-...@googlegroups.com
#28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting
-------------------------------+------------------------------------
Reporter: Jonas Haag | Owner: gaweng
Type: Bug | Status: assigned
Component: HTTP handling | Version: 1.11
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Changes (by gaweng):

* owner: nobody => gaweng
* status: new => assigned

--
Ticket URL: <https://code.djangoproject.com/ticket/28473#comment:5>

Django

unread,
May 27, 2026, 4:56:58 AMMay 27
to django-...@googlegroups.com
#28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting
-------------------------------+------------------------------------
Reporter: Jonas Haag | Owner: gaweng
Type: Bug | Status: assigned
Component: HTTP handling | Version: 1.11
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Changes (by gaweng):

* has_patch: 0 => 1

Comment:

https://github.com/django/django/pull/21367
--
Ticket URL: <https://code.djangoproject.com/ticket/28473#comment:6>

Django

unread,
Jul 17, 2026, 12:45:55 PM (2 days ago) Jul 17
to django-...@googlegroups.com
#28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting
-------------------------------+------------------------------------
Reporter: Jonas Haag | Owner: gaweng
Type: Bug | Status: assigned
Component: HTTP handling | Version: 1.11
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Changes (by blighj):

* needs_better_patch: 0 => 1

Comment:

The PR is marked as a draft on github, I'm going to take that as a signal
that it is not ready for review yet. So I'm checking patch needs
improvement to take it out of the review queue. If it is ready for review
go ahead mark it as ready on github and I'll jump in.
--
Ticket URL: <https://code.djangoproject.com/ticket/28473#comment:7>
Reply all
Reply to author
Forward
0 new messages