[Django] #28473: Consider SCRIPT_NAME for SECURE_REDIRECT_EXEMPT setting
Django
-----------------------------------------+------------------------
Reporter: Jonas Haag | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
Similar to #25598, `SCRIPT_NAME` should be considered for
`SECURE_REDIRECT_EXEMPT` as well.
Generally speaking, there should be consistent handling of `SCRIPT_NAME`
in the settings -- either consider it for all settings or for none.
--
Ticket URL: <https://code.djangoproject.com/ticket/28473>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Jonas Haag | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham):
I guess the idea would be to use `request.path_info` instead of
`request.path` in the
[https://github.com/django/django/blob/5cb7619995bd8df2969d4e92984768a4f14af89b/django/middleware/security.py#L21
SecurityMiddleware]?
Can you elaborate on the use case and how the behavior will change? Could
the change break existing working configurations?
--
Ticket URL: <https://code.djangoproject.com/ticket/28473#comment:1>
Django
Reporter: Jonas Haag | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: 1.11
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Jonas Haag):
See #25598 for discussion of the use case (the setting should be
independent from the subpath the application is mounted at). This breaks
existing sites, yes. I haven't had a look into the implementation.
--
Ticket URL: <https://code.djangoproject.com/ticket/28473#comment:2>
Django
Reporter: Jonas Haag | Owner: nobody
Type: Bug | Status: new
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* component: Uncategorized => HTTP handling
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/28473#comment:3>
Django
Type: Bug | Status: new
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Sniom):
I've got the same use case :
I set `SCRIPT_NAME` to "/some_script_name".
At first I wanted http://url.com/some_script_name/exempt1 and
http://url.com/some_script_name/exempt2 to be served via http.
So I set `SECURE_REDIRECT_EXEMPT=[r"^exempt1$", "^exempt2$""]`
It took me some time to figure out that `SECURE_REDIRECT_EXEMPT` was not
taking into account `SCRIPT_NAME`
I had to modify `SECURE_REDIRECT_EXEMPT` to
`[r"^some_script_name/exempt1$", r"^some_script_name/exempt2$"]`
Seems to me using `request.path_info` rather than `request.path` would do
the trick.
But changing that would break existing sites using `SCRIPT_NAME` +
`SECURE_REDIRECT_EXEMPT`
Should we at least document this strange behaviour in
https://docs.djangoproject.com/en/6.0/ref/settings/#secure-redirect-exempt
?
(I am using django version 6.0.5)
--
Ticket URL: <https://code.djangoproject.com/ticket/28473#comment:4>