-
-
Notifications
You must be signed in to change notification settings - Fork 16.2k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Dev server redirects to arbitrary url when path starts with double slash // #1639
Comments
As the documentation states the integrated server is intended for development environments only:
This doesn't seem like an issue to me, or does this happen with other servers as well (gunicorn, uwsgi, etc.)? |
I didn't test with other servers but I ran the Flask server and the issue happened. Use the code above, run the server, and check the requests and responses.
|
I tested in Firefox, Chrome, and Opera and redirected to domains such as google.com, bing.com, yahoo.com, and msn.com.
This bug exists in Flask on Why do |
You are not supposed to do that. Open redirects are mostly an issue on
high-profile/trusted sites and those are even less likely to use the dev
server in production.
@davidism: 301 redirect maybe? That'd explain why it happens for you with
no server running.
|
If I run the service on Linux with bash and access the Flask app, this is an issue. Example: http://148.251.25.244:9090//google.com |
The dev server is not acceptable for any production setup, period. If someone uses it anyway, it's his fault if his box gets pwned or abused. I just looked into it and the problem happens due to an incorrect |
Can someone still report a bug to werkzeug perhaps so it can decide on how to handle this? |
OK, this is not a flask bug, possibly not even a werkzeug bug.
The double slash results in the |
You mean the issue is here? class WSGIRequestHandler(BaseHTTPRequestHandler, object):
"""A request handler that implements WSGI dispatching."""
@property
def server_version(self):
return 'Werkzeug/' + werkzeug.__version__
def make_environ(self):
request_url = url_parse(self.path) ### issue here? |
Yes. |
Ultimately, the answer is still the same: don't use the dev server in production, it is not designed to be secure. At this point, it's clear that this is not a Flask bug, and it has been reported in pallets/werkzeug#822. Closing. |
If I try to navigate to http://127.0.0.1:8000//google.com (2 slashes), I get redirected to google.com. I correctly get a 404 with http://127.0.0.1:8000/google.com (1 slash) and http://127.0.0.1:8000///google.com (3 slashses). This is a vulnerability, I shouldn't be redirected to arbitrary urls. Flask should prevent arbitrary redirects from urls.
The text was updated successfully, but these errors were encountered: