22.0.0 regression: We need a better default treatment of SCRIPT_NAME #3192
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As pointed out in #2650, I have introduced a regression in the now released 22.0 version. What commonly worked in the default installation without additional configuration broke: Passing dynamic path information from a front-end when the application lives in a subfolder.
SCRIPT_NAME
(underscore, not dash) header to transmit the path where the application lives are broken after updating to gunicorn 22.0Affected Nginx config might look like this:
This is not necessarily unsafe. When leaving the defaults of
underscores_in_headers off; ignore_invalid_headers on;
untouched, this header name would not be automatically forwarded, so it has come from Nginx.Caution
SCRIPT_NAME
is not the only header that can lead to dangerous results when an application gets confused about which headers were inserted by an authorized proxy. But is the only one gunicorn absolutely must take care of, being the one gunicorn picks up from headers and places into environ.I propose we do:
map{}-ed
data to the application.Related issues