[issue4212] email.LazyImporter does not use absolute imports
New submission from Brandon Bloom <[EMAIL PROTECTED]>: I have a package with a module called "email". If I try to use the standard email package, it fails to load email.Utils because email.LazyImporter is looking in my email module instead of the top- level email package. -- components: Library (Lib) messages: 75251 nosy: brandonbloom severity: normal status: open title: email.LazyImporter does not use absolute imports type: behavior versions: Python 2.5.3 ___ Python tracker <[EMAIL PROTECTED]> <http://bugs.python.org/issue4212> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7250] wsgiref.handlers.CGIHandler caches os.environ, leaking info between requests
New submission from Brandon Bloom : This issue came up while doing Google App Engine development. Apparently the default wsgi handler logic is to cache os.environ into os_environ at import time. This is reasonable behavior for wsgi, but when using cgi, this is a serious security hole which leaks information between requests. See this related bug at GAE: http://code.google.com/p/googleappengine/issues/detail? id=2040&q=cookies%20dev_appserver.py&colspec=ID%20Type%20Status%20Priority %20Stars%20Owner%20Summary%20Log%20Component -- components: Library (Lib) messages: 94819 nosy: snprbob86 severity: normal status: open title: wsgiref.handlers.CGIHandler caches os.environ, leaking info between requests type: security versions: Python 2.5 ___ Python tracker <http://bugs.python.org/issue7250> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7250] wsgiref.handlers.CGIHandler caches os.environ, leaking info between requests
Brandon Bloom added the comment: > That is, in a true CGI environment, there can't be *multiple* requests > made to CGIHandler, and so it can't leak. In "normal" (i.e. pre-GAE) > long-running web environments, os.environ would not contain any request > information, only the process startup environment. That's fair. In this case the CGIHandler should raise an exception on subsequent requests to prevent this programming error. > If someone wants to provide a GAEHandler class, great; otherwise, the > documented way to run a WSGI app under GAE is the > google.appengine.ext.webapp.util.run_wsgi_app function. I'm not sure if run_wsgi_app was available right from the start, as some early tutorials and samples show using CGIHandler. That's how we ran into this issue. -- ___ Python tracker <http://bugs.python.org/issue7250> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue7250] wsgiref.handlers.CGIHandler caches os.environ, leaking info between requests
Brandon Bloom added the comment: > Hm. In retrospect, CGIHandler should probably just set os_environ to an > empty dictionary in its class body (thereby not using the cached > environ), and this would then work correctly for repeated uses. > > This would be a clean bugfix and wouldn't affect behavior for any > existing uses of CGIHandler that weren't already worse broken than the > GAE case. ;-) Yup, rock on with that :-) -- ___ Python tracker <http://bugs.python.org/issue7250> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
