Comment 3 for bug 1953173

Hi Server team,

could you, please, take a look into the following lines in wgsi.py:

    def build_environ(self, scope, body):
        ...
        environ = {
            ...
            "SCRIPT_NAME": scope.get("root_path", "").encode("utf8").decode("latin1"),
            "PATH_INFO": scope["path"].encode("utf8").decode("latin1"),
            "QUERY_STRING": scope["query_string"].decode("ascii"),
            ...
        }
    ...

there is a concern around encode and decode non validated data that caught our attention.
could you give us your feedback if you think that it is possible that someone could
use malicious data in order to cause damage to the operation? (maybe some sort of data
garbage in http headers)

thank you very much.