validate.py 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441
  1. # (c) 2005 Ian Bicking and contributors; written for Paste (http://pythonpaste.org)
  2. # Licensed under the MIT license: http://www.opensource.org/licenses/mit-license.php
  3. # Also licenced under the Apache License, 2.0: http://opensource.org/licenses/apache2.0.php
  4. # Licensed to PSF under a Contributor Agreement
  5. """
  6. Middleware to check for obedience to the WSGI specification.
  7. Some of the things this checks:
  8. * Signature of the application and start_response (including that
  9. keyword arguments are not used).
  10. * Environment checks:
  11. - Environment is a dictionary (and not a subclass).
  12. - That all the required keys are in the environment: REQUEST_METHOD,
  13. SERVER_NAME, SERVER_PORT, wsgi.version, wsgi.input, wsgi.errors,
  14. wsgi.multithread, wsgi.multiprocess, wsgi.run_once
  15. - That HTTP_CONTENT_TYPE and HTTP_CONTENT_LENGTH are not in the
  16. environment (these headers should appear as CONTENT_LENGTH and
  17. CONTENT_TYPE).
  18. - Warns if QUERY_STRING is missing, as the cgi module acts
  19. unpredictably in that case.
  20. - That CGI-style variables (that don't contain a .) have
  21. (non-unicode) string values
  22. - That wsgi.version is a tuple
  23. - That wsgi.url_scheme is 'http' or 'https' (@@: is this too
  24. restrictive?)
  25. - Warns if the REQUEST_METHOD is not known (@@: probably too
  26. restrictive).
  27. - That SCRIPT_NAME and PATH_INFO are empty or start with /
  28. - That at least one of SCRIPT_NAME or PATH_INFO are set.
  29. - That CONTENT_LENGTH is a positive integer.
  30. - That SCRIPT_NAME is not '/' (it should be '', and PATH_INFO should
  31. be '/').
  32. - That wsgi.input has the methods read, readline, readlines, and
  33. __iter__
  34. - That wsgi.errors has the methods flush, write, writelines
  35. * The status is a string, contains a space, starts with an integer,
  36. and that integer is in range (> 100).
  37. * That the headers is a list (not a subclass, not another kind of
  38. sequence).
  39. * That the items of the headers are tuples of strings.
  40. * That there is no 'status' header (that is used in CGI, but not in
  41. WSGI).
  42. * That the headers don't contain newlines or colons, end in _ or -, or
  43. contain characters codes below 037.
  44. * That Content-Type is given if there is content (CGI often has a
  45. default content type, but WSGI does not).
  46. * That no Content-Type is given when there is no content (@@: is this
  47. too restrictive?)
  48. * That the exc_info argument to start_response is a tuple or None.
  49. * That all calls to the writer are with strings, and no other methods
  50. on the writer are accessed.
  51. * That wsgi.input is used properly:
  52. - .read() is called with exactly one argument
  53. - That it returns a string
  54. - That readline, readlines, and __iter__ return strings
  55. - That .close() is not called
  56. - No other methods are provided
  57. * That wsgi.errors is used properly:
  58. - .write() and .writelines() is called with a string
  59. - That .close() is not called, and no other methods are provided.
  60. * The response iterator:
  61. - That it is not a string (it should be a list of a single string; a
  62. string will work, but perform horribly).
  63. - That .__next__() returns a string
  64. - That the iterator is not iterated over until start_response has
  65. been called (that can signal either a server or application
  66. error).
  67. - That .close() is called (doesn't raise exception, only prints to
  68. sys.stderr, because we only know it isn't called when the object
  69. is garbage collected).
  70. """
  71. __all__ = ['validator']
  72. import re
  73. import sys
  74. import warnings
  75. header_re = re.compile(r'^[a-zA-Z][a-zA-Z0-9\-_]*$')
  76. bad_header_value_re = re.compile(r'[\000-\037]')
  77. class WSGIWarning(Warning):
  78. """
  79. Raised in response to WSGI-spec-related warnings
  80. """
  81. def assert_(cond, *args):
  82. if not cond:
  83. raise AssertionError(*args)
  84. def check_string_type(value, title):
  85. if type (value) is str:
  86. return value
  87. raise AssertionError(
  88. "{0} must be of type str (got {1})".format(title, repr(value)))
  89. def validator(application):
  90. """
  91. When applied between a WSGI server and a WSGI application, this
  92. middleware will check for WSGI compliance on a number of levels.
  93. This middleware does not modify the request or response in any
  94. way, but will raise an AssertionError if anything seems off
  95. (except for a failure to close the application iterator, which
  96. will be printed to stderr -- there's no way to raise an exception
  97. at that point).
  98. """
  99. def lint_app(*args, **kw):
  100. assert_(len(args) == 2, "Two arguments required")
  101. assert_(not kw, "No keyword arguments allowed")
  102. environ, start_response = args
  103. check_environ(environ)
  104. # We use this to check if the application returns without
  105. # calling start_response:
  106. start_response_started = []
  107. def start_response_wrapper(*args, **kw):
  108. assert_(len(args) == 2 or len(args) == 3, (
  109. "Invalid number of arguments: %s" % (args,)))
  110. assert_(not kw, "No keyword arguments allowed")
  111. status = args[0]
  112. headers = args[1]
  113. if len(args) == 3:
  114. exc_info = args[2]
  115. else:
  116. exc_info = None
  117. check_status(status)
  118. check_headers(headers)
  119. check_content_type(status, headers)
  120. check_exc_info(exc_info)
  121. start_response_started.append(None)
  122. return WriteWrapper(start_response(*args))
  123. environ['wsgi.input'] = InputWrapper(environ['wsgi.input'])
  124. environ['wsgi.errors'] = ErrorWrapper(environ['wsgi.errors'])
  125. iterator = application(environ, start_response_wrapper)
  126. assert_(iterator is not None and iterator != False,
  127. "The application must return an iterator, if only an empty list")
  128. check_iterator(iterator)
  129. return IteratorWrapper(iterator, start_response_started)
  130. return lint_app
  131. class InputWrapper:
  132. def __init__(self, wsgi_input):
  133. self.input = wsgi_input
  134. def read(self, *args):
  135. assert_(len(args) == 1)
  136. v = self.input.read(*args)
  137. assert_(type(v) is bytes)
  138. return v
  139. def readline(self, *args):
  140. assert_(len(args) <= 1)
  141. v = self.input.readline(*args)
  142. assert_(type(v) is bytes)
  143. return v
  144. def readlines(self, *args):
  145. assert_(len(args) <= 1)
  146. lines = self.input.readlines(*args)
  147. assert_(type(lines) is list)
  148. for line in lines:
  149. assert_(type(line) is bytes)
  150. return lines
  151. def __iter__(self):
  152. while 1:
  153. line = self.readline()
  154. if not line:
  155. return
  156. yield line
  157. def close(self):
  158. assert_(0, "input.close() must not be called")
  159. class ErrorWrapper:
  160. def __init__(self, wsgi_errors):
  161. self.errors = wsgi_errors
  162. def write(self, s):
  163. assert_(type(s) is str)
  164. self.errors.write(s)
  165. def flush(self):
  166. self.errors.flush()
  167. def writelines(self, seq):
  168. for line in seq:
  169. self.write(line)
  170. def close(self):
  171. assert_(0, "errors.close() must not be called")
  172. class WriteWrapper:
  173. def __init__(self, wsgi_writer):
  174. self.writer = wsgi_writer
  175. def __call__(self, s):
  176. assert_(type(s) is bytes)
  177. self.writer(s)
  178. class PartialIteratorWrapper:
  179. def __init__(self, wsgi_iterator):
  180. self.iterator = wsgi_iterator
  181. def __iter__(self):
  182. # We want to make sure __iter__ is called
  183. return IteratorWrapper(self.iterator, None)
  184. class IteratorWrapper:
  185. def __init__(self, wsgi_iterator, check_start_response):
  186. self.original_iterator = wsgi_iterator
  187. self.iterator = iter(wsgi_iterator)
  188. self.closed = False
  189. self.check_start_response = check_start_response
  190. def __iter__(self):
  191. return self
  192. def __next__(self):
  193. assert_(not self.closed,
  194. "Iterator read after closed")
  195. v = next(self.iterator)
  196. if type(v) is not bytes:
  197. assert_(False, "Iterator yielded non-bytestring (%r)" % (v,))
  198. if self.check_start_response is not None:
  199. assert_(self.check_start_response,
  200. "The application returns and we started iterating over its body, but start_response has not yet been called")
  201. self.check_start_response = None
  202. return v
  203. def close(self):
  204. self.closed = True
  205. if hasattr(self.original_iterator, 'close'):
  206. self.original_iterator.close()
  207. def __del__(self):
  208. if not self.closed:
  209. sys.stderr.write(
  210. "Iterator garbage collected without being closed")
  211. assert_(self.closed,
  212. "Iterator garbage collected without being closed")
  213. def check_environ(environ):
  214. assert_(type(environ) is dict,
  215. "Environment is not of the right type: %r (environment: %r)"
  216. % (type(environ), environ))
  217. for key in ['REQUEST_METHOD', 'SERVER_NAME', 'SERVER_PORT',
  218. 'wsgi.version', 'wsgi.input', 'wsgi.errors',
  219. 'wsgi.multithread', 'wsgi.multiprocess',
  220. 'wsgi.run_once']:
  221. assert_(key in environ,
  222. "Environment missing required key: %r" % (key,))
  223. for key in ['HTTP_CONTENT_TYPE', 'HTTP_CONTENT_LENGTH']:
  224. assert_(key not in environ,
  225. "Environment should not have the key: %s "
  226. "(use %s instead)" % (key, key[5:]))
  227. if 'QUERY_STRING' not in environ:
  228. warnings.warn(
  229. 'QUERY_STRING is not in the WSGI environment; the cgi '
  230. 'module will use sys.argv when this variable is missing, '
  231. 'so application errors are more likely',
  232. WSGIWarning)
  233. for key in environ.keys():
  234. if '.' in key:
  235. # Extension, we don't care about its type
  236. continue
  237. assert_(type(environ[key]) is str,
  238. "Environmental variable %s is not a string: %r (value: %r)"
  239. % (key, type(environ[key]), environ[key]))
  240. assert_(type(environ['wsgi.version']) is tuple,
  241. "wsgi.version should be a tuple (%r)" % (environ['wsgi.version'],))
  242. assert_(environ['wsgi.url_scheme'] in ('http', 'https'),
  243. "wsgi.url_scheme unknown: %r" % environ['wsgi.url_scheme'])
  244. check_input(environ['wsgi.input'])
  245. check_errors(environ['wsgi.errors'])
  246. # @@: these need filling out:
  247. if environ['REQUEST_METHOD'] not in (
  248. 'GET', 'HEAD', 'POST', 'OPTIONS', 'PATCH', 'PUT', 'DELETE', 'TRACE'):
  249. warnings.warn(
  250. "Unknown REQUEST_METHOD: %r" % environ['REQUEST_METHOD'],
  251. WSGIWarning)
  252. assert_(not environ.get('SCRIPT_NAME')
  253. or environ['SCRIPT_NAME'].startswith('/'),
  254. "SCRIPT_NAME doesn't start with /: %r" % environ['SCRIPT_NAME'])
  255. assert_(not environ.get('PATH_INFO')
  256. or environ['PATH_INFO'].startswith('/'),
  257. "PATH_INFO doesn't start with /: %r" % environ['PATH_INFO'])
  258. if environ.get('CONTENT_LENGTH'):
  259. assert_(int(environ['CONTENT_LENGTH']) >= 0,
  260. "Invalid CONTENT_LENGTH: %r" % environ['CONTENT_LENGTH'])
  261. if not environ.get('SCRIPT_NAME'):
  262. assert_('PATH_INFO' in environ,
  263. "One of SCRIPT_NAME or PATH_INFO are required (PATH_INFO "
  264. "should at least be '/' if SCRIPT_NAME is empty)")
  265. assert_(environ.get('SCRIPT_NAME') != '/',
  266. "SCRIPT_NAME cannot be '/'; it should instead be '', and "
  267. "PATH_INFO should be '/'")
  268. def check_input(wsgi_input):
  269. for attr in ['read', 'readline', 'readlines', '__iter__']:
  270. assert_(hasattr(wsgi_input, attr),
  271. "wsgi.input (%r) doesn't have the attribute %s"
  272. % (wsgi_input, attr))
  273. def check_errors(wsgi_errors):
  274. for attr in ['flush', 'write', 'writelines']:
  275. assert_(hasattr(wsgi_errors, attr),
  276. "wsgi.errors (%r) doesn't have the attribute %s"
  277. % (wsgi_errors, attr))
  278. def check_status(status):
  279. status = check_string_type(status, "Status")
  280. # Implicitly check that we can turn it into an integer:
  281. status_code = status.split(None, 1)[0]
  282. assert_(len(status_code) == 3,
  283. "Status codes must be three characters: %r" % status_code)
  284. status_int = int(status_code)
  285. assert_(status_int >= 100, "Status code is invalid: %r" % status_int)
  286. if len(status) < 4 or status[3] != ' ':
  287. warnings.warn(
  288. "The status string (%r) should be a three-digit integer "
  289. "followed by a single space and a status explanation"
  290. % status, WSGIWarning)
  291. def check_headers(headers):
  292. assert_(type(headers) is list,
  293. "Headers (%r) must be of type list: %r"
  294. % (headers, type(headers)))
  295. for item in headers:
  296. assert_(type(item) is tuple,
  297. "Individual headers (%r) must be of type tuple: %r"
  298. % (item, type(item)))
  299. assert_(len(item) == 2)
  300. name, value = item
  301. name = check_string_type(name, "Header name")
  302. value = check_string_type(value, "Header value")
  303. assert_(name.lower() != 'status',
  304. "The Status header cannot be used; it conflicts with CGI "
  305. "script, and HTTP status is not given through headers "
  306. "(value: %r)." % value)
  307. assert_('\n' not in name and ':' not in name,
  308. "Header names may not contain ':' or '\\n': %r" % name)
  309. assert_(header_re.search(name), "Bad header name: %r" % name)
  310. assert_(not name.endswith('-') and not name.endswith('_'),
  311. "Names may not end in '-' or '_': %r" % name)
  312. if bad_header_value_re.search(value):
  313. assert_(0, "Bad header value: %r (bad char: %r)"
  314. % (value, bad_header_value_re.search(value).group(0)))
  315. def check_content_type(status, headers):
  316. status = check_string_type(status, "Status")
  317. code = int(status.split(None, 1)[0])
  318. # @@: need one more person to verify this interpretation of RFC 2616
  319. # http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
  320. NO_MESSAGE_BODY = (204, 304)
  321. for name, value in headers:
  322. name = check_string_type(name, "Header name")
  323. if name.lower() == 'content-type':
  324. if code not in NO_MESSAGE_BODY:
  325. return
  326. assert_(0, ("Content-Type header found in a %s response, "
  327. "which must not return content.") % code)
  328. if code not in NO_MESSAGE_BODY:
  329. assert_(0, "No Content-Type header found in headers (%s)" % headers)
  330. def check_exc_info(exc_info):
  331. assert_(exc_info is None or type(exc_info) is tuple,
  332. "exc_info (%r) is not a tuple: %r" % (exc_info, type(exc_info)))
  333. # More exc_info checks?
  334. def check_iterator(iterator):
  335. # Technically a bytestring is legal, which is why it's a really bad
  336. # idea, because it may cause the response to be returned
  337. # character-by-character
  338. assert_(not isinstance(iterator, (str, bytes)),
  339. "You should not return a string as your application iterator, "
  340. "instead return a single-item list containing a bytestring.")