Title: wsgiref.validate doesn't accept arguments to readline
Type: Stage:
Components: Library (Lib) Versions: Python 2.6
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: pje Nosy List: ianb, pje
Priority: normal Keywords:

Created on 2008-11-16 00:43 by ianb, last changed 2008-11-16 18:03 by ianb. This issue is now closed.

Messages (7)
msg75920 - (view) Author: Ian Bicking (ianb) * Date: 2008-11-16 00:43
The method wsgiref.validate:InputWrapper.readline doesn't take any
arguments.  It should take an optional size argument.  Though this isn't
part of the WSGI specification, the cgi module uses this argument when
parsing the body, and in practice no applications that use
cgi.FieldStorage (which is most applications) are compatible with
wsgiref.validate as a result.  Simply adding a *args that is passed to
the underlying file fixes this.
msg75921 - (view) Author: PJ Eby (pje) * (Python committer) Date: 2008-11-16 03:06
No, it shouldn't.  The purpose of wsgiref.validate is to validate spec
compliance, and the use of a readline() argument means that the program
doing the invocation is not valid, per the spec.  wsgiref.validate is
correctly reporting the failure of compliance.
msg75922 - (view) Author: Ian Bicking (ianb) * Date: 2008-11-16 03:12
This renders wsgiref.validate.validator completely useless, because it
cannot be used with any existing code.
msg75923 - (view) Author: PJ Eby (pje) * (Python committer) Date: 2008-11-16 03:21
Uh, Ian, do you not remember being the person who *wrote* this code a 
few years ago?  This is the old paste.lint with a little 
renaming.  Of course it can be used with existing code -- code that 
complies with the WSGI spec.

It's the cgi module that changed, not wsgiref.
msg75924 - (view) Author: Ian Bicking (ianb) * Date: 2008-11-16 03:23
Yes, and I've wanted to deprecate paste.lint, but I can't because people
use it over wsgiref.validate because it had this change applied.  Yes,
cgi.FieldStorage changed, but now that it's changed wsgiref needs to be
compatible with it to be viable.

Mostly the WSGI spec has been wrong on this for some time, but we've
never gone through the process of updating it (though it has been
brought up several times on Web-SIG).
msg75939 - (view) Author: PJ Eby (pje) * (Python committer) Date: 2008-11-16 14:42
Then obviously it makes no sense to update wsgiref before the 
spec.  ISTM the correct way to deal with this is update the cgi 
module to include a WSGI-compatible API.
msg75941 - (view) Author: Ian Bicking (ianb) * Date: 2008-11-16 18:03
cgi started using this argument due to the potential of a DoS attack
without the length limit.  So undoing this in cgi (even as an option)
would be a regression.
Date User Action Args
2008-11-16 18:03:18ianbsetmessages: + msg75941
2008-11-16 14:42:33pjesetmessages: + msg75939
2008-11-16 03:23:55ianbsetmessages: + msg75924
2008-11-16 03:21:43pjesetmessages: + msg75923
2008-11-16 03:12:36ianbsetmessages: + msg75922
2008-11-16 03:12:20benjamin.petersonsetstatus: open -> closed
2008-11-16 03:06:38pjesetresolution: not a bug
messages: + msg75921
2008-11-16 00:44:28benjamin.petersonsetassignee: pje
nosy: + pje
2008-11-16 00:43:03ianbcreate