From f0c91cca484820d1034f3a5278c0662aed2a23ea Mon Sep 17 00:00:00 2001 From: Tomi Belan Date: Sun, 22 May 2022 00:42:55 +0200 Subject: [PATCH] Check SCRIPT_NAME is at the request path's beginning --- gunicorn/http/errors.py | 9 +++++++++ gunicorn/http/wsgi.py | 8 ++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/gunicorn/http/errors.py b/gunicorn/http/errors.py index 7839ef05..05abd1ab 100644 --- a/gunicorn/http/errors.py +++ b/gunicorn/http/errors.py @@ -22,6 +22,15 @@ class NoMoreData(IOError): return "No more data after: %r" % self.buf +class ConfigurationProblem(ParseException): + def __init__(self, info): + self.info = info + self.code = 500 + + def __str__(self): + return "Configuration problem: %s" % self.info + + class InvalidRequestLine(ParseException): def __init__(self, req): self.req = req diff --git a/gunicorn/http/wsgi.py b/gunicorn/http/wsgi.py index 7fca6142..bafed49e 100644 --- a/gunicorn/http/wsgi.py +++ b/gunicorn/http/wsgi.py @@ -10,7 +10,7 @@ import re import sys from gunicorn.http.message import TOKEN_RE -from gunicorn.http.errors import InvalidHeader, InvalidHeaderName +from gunicorn.http.errors import ConfigurationProblem, InvalidHeader, InvalidHeaderName from gunicorn import SERVER_SOFTWARE, SERVER from gunicorn import util @@ -182,7 +182,11 @@ def create(req, sock, client, server, cfg): # set the path and script name path_info = req.path if script_name: - path_info = path_info.split(script_name, 1)[1] + if not path_info.startswith(script_name): + raise ConfigurationProblem( + "Request path %r does not start with SCRIPT_NAME %r" % + (path_info, script_name)) + path_info = path_info[len(script_name):] environ['PATH_INFO'] = util.unquote_to_wsgi_str(path_info) environ['SCRIPT_NAME'] = script_name