Merge pull request #891 from pallets/double-slash-path

Fix #822
pallets · Apr 14, 2016 · 556bdcb · 556bdcb
2 parents a7066a7 + ecf41a3
commit 556bdcb
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 1 deletion.
diff --git a/CHANGES b/CHANGES
@@ -11,6 +11,7 @@ Version 0.11.6
 - increased the pin timeout to a week to make it less annoying for people
   which should decrease the change that users disable the pin check
   entirely.
+- werkzeug.serving: Fix broken HTTP_HOST when path starts with double slash.
 
 Version 0.11.5
 --------------

diff --git a/tests/test_serving.py b/tests/test_serving.py
@@ -24,6 +24,11 @@
 except ImportError:
     watchdog = None
 
+try:
+    import httplib
+except ImportError:
+    from http import client as httplib
+
 import requests
 import requests.exceptions
 import pytest
@@ -39,6 +44,36 @@ def test_serving(dev_server):
     assert b'Werkzeug/' + version.encode('ascii') in rv
 
 
+def test_absolute_requests(dev_server):
+    server = dev_server('''
+    def app(environ, start_response):
+        assert environ['HTTP_HOST'] == 'surelynotexisting.example.com:1337'
+        assert environ['PATH_INFO'] == '/index.htm'
+        addr = environ['HTTP_X_WERKZEUG_ADDR']
+        assert environ['SERVER_PORT'] == addr.split(':')[1]
+        start_response('200 OK', [('Content-Type', 'text/html')])
+        return [b'YES']
+    ''')
+
+    conn = httplib.HTTPConnection(server.addr)
+    conn.request('GET', 'http://surelynotexisting.example.com:1337/index.htm#ignorethis',
+                 headers={'X-Werkzeug-Addr': server.addr})
+    res = conn.getresponse()
+    assert res.read() == b'YES'
+
+
+def test_double_slash_path(dev_server):
+    server = dev_server('''
+    def app(environ, start_response):
+        assert 'fail' not in environ['HTTP_HOST']
+        start_response('200 OK', [('Content-Type', 'text/plain')])
+        return [b'YES']
+    ''')
+
+    r = requests.get(server.url + '//fail')
+    assert r.content == b'YES'
+
+
 def test_broken_app(dev_server):
     server = dev_server('''
     def app(environ, start_response):

diff --git a/werkzeug/serving.py b/werkzeug/serving.py
@@ -125,7 +125,7 @@ def shutdown_server():
             if key not in ('HTTP_CONTENT_TYPE', 'HTTP_CONTENT_LENGTH'):
                 environ[key] = value
 
-        if request_url.netloc:
+        if request_url.scheme and request_url.netloc:
             environ['HTTP_HOST'] = request_url.netloc
 
         return environ