On 14 October 2014 16:21, Graham Dumpleton <graham.dumple...@gmail.com> wrote: >
> This behaviour is by virtue of Apache 2.4 doing the blocking. Nice :). > There was however a bug in mod_wsgi which means that spoofed headers still > got through in environ passed to mod_wsgi specific > access/authentication/authorization hook extensions for Apache. This has > been fixed in recent release. At the same time it was decided to apply the > more strict rules about what was allowed back to older Apache 2.2 as well, > since Apache 2.2 doesn't do the blocking that Apache 2.4 does. > > Unfortunately because Linux distros ship out of date mod_wsgi versions, it > can still be an issue there. Have been pondering turning the issue into a > CERT just to force them to back port the fixes. :-) +1 on that, its indeed an issue and many folk won't consider issue there. For WSGI I agree that the protocol doesn't need to make these deployer decisions etc - but we do need to clarify REMOTE_ADDR for unix sockets. I've filed https://github.com/python-web-sig/wsgi-ng/issues/11 to track this. -Rob -- Robert Collins <rbtcoll...@hp.com> Distinguished Technologist HP Converged Cloud _______________________________________________ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: https://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com