|
Roger Binns
rogerb at rogerbinns.com
Sat May 12 01:46:31 EDT 2007
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Graham Dumpleton wrote: > If your web browser doesn't normalise it I am sending requests from my test harness which does not do normalization. In my case normalization effectively "corrupts" the data. > then Apache will. Such > normalisation will be done before it even gets to mod_python. req.uri is normalized but req.unparsed_uri is as originally sent by the client, so I use that. The only remaining problem is that if the normalized uri doesn't reference my handler then it isn't called. <Location /api/v1/> SetHandler python-program PythonHandler restapiv1::RestAPIV1.RequestHandler </Location> So I get called for /api/v1/widget/a/b/c/d/../../e but not for /api/v1/widget/../../e/a/b/c/d > You state want you want to happen, but why exactly do you want to do > this in the first place? What is the underlying reason? Exactly as I said. It is a rest service and the names of items appear as part of the URL. eg You use PUT /api/v1/widget/foo to create a widget named foo, GET to query it, DELETE to delete it etc. But because of this normalization done by Apache before deciding which handler to call, that imposes an arbitrary constraint on names such that they can't have ../ sequences that get up before the /api/v1/. The arbitrary constraint then has to be documented, tested, have friendly information in user interfaces etc. It is an ugly wart and I was hoping it was unnecessary. Roger -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGRVS3mOOfHg372QQRAulYAJ90JYiXJ+FSkQzJPNpdlTCFJFSYvgCfbzw4 1FKXPA+JqBzWAufEfSe13CA= =ZdiB -----END PGP SIGNATURE-----
|