[Zope] REMOTE_USER Security Issue
Jim Washington
jwashin at vt.edu
Thu May 18 13:21:31 EDT 2006
Lennart Regebro wrote:
> On 5/18/06, Jim Washington <jwashin at vt.edu> wrote:
>> Completely immutable environ is not a good choice from WSGI
>> point-of-view. environ can be useful for middleware
>> information-passing.
>
> WSGI middleware would by definition get the environ and be able to
> modify it before the request gets it, so that isn't a problem.
>
Yes, not a problem for for middleware -> app communication. But some
app -> middleware communication would be impossible if environ is
completely read-only. I am assuming that "immutable" here means
"read-only".
What if a middleware app puts a key in environ specifically for the app
to write e.g., post-processing parameters? I have a use case for that.
-Jim Washington
More information about the Zope
mailing list