-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use sanitised result of selected_subprotocol #446
Conversation
Thanks for submitting your first pull request! You are awesome! 🤗 |
FYI @sylvaticus Fixed version deployed at https://coder.jupyter.b-data.ch. cd /usr/local/lib/python3.11/site-packages/jupyter_server_proxy \
&& cp -a handlers.py handlers.py.orig \
&& sed -i 's/subprotocols=self\.subprotocols/subprotocols=self\.selected_subprotocol/g' handlers.py ℹ️ |
Ping @consideRatio FYI @duytnguyendtn |
I confirm that the sanitation applied to |
c3bb036
to
fe903d3
Compare
|
Thanks for putting together this PR! Hopefully we can get some traction from the devs and get this merged |
fe903d3
to
e7429df
Compare
Thank you for digging into this topic @benz0li!!! For a merge this needs to be vetted with regards to "is this a breaking change" and "is this secure" for example, things that i personally struggle with in this tech-context. It would be very helpful for me if you could provide your take on that @benz0li, it would be a great starting point for me to review this change proposal. |
@consideRatio You find the technical details in #442.
Technically, I am not up to such things either. Maybe @duytnguyendtn has more insight. |
Haha and you've discovered why I didn't feel brave enough to author the PR! Frankly, I don't have the background to evaluate the safety or the "breaking" nature of this change. I hoped to open a discussion in #442 with the maintainers to help evaluate it's safety and compatibility. Echoing @benz0li, @consideRatio please take a look at my investigation in #442 where I arrived at the two potential solutions at the bottom which @benz0li is basing this PR off of. I tried to make it as thorough as I could and explore the code traces. Please let me know if I can be of any further assistance! |
Because Jupyter Server Proxy borrows a lot from Tornado Web Server, I dare to ping @bdarnell in this case. IMHO Former vs latter:
Maybe there is a simpler and saner way to prevent |
Closed in favour of #448. |
HTTP 400: Bad Request
#445