Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Avoid escaping environ keys that are not used by WSGIHTTPException body_template #139
Currently WSGIHTTPException, when served as responses, call _make_body to prepare their body.
The side effect is that if the user stored any property which the conversion to string fails, the Response will crash even though that property is not used at all.
As redirections are subclasses of _HTTPMove (which provides a custom template) the _make_body will iterate on the repoze.who identity, which contains the User and will convert it to string (through html_escape). As transaction has previously been rolled back the user is now detached from the session and so cannot be converted if it provided a custom str/repr method that gets any of its properties.
The proposed patch solves the issue by lazily escaping environ values, so that only those that are used by the body_template are actually evaluated.