From 86bcd431f9ef5de53a2cc338795723ece24ff39f Mon Sep 17 00:00:00 2001 From: Markus Unterwaditzer Date: Sun, 10 Apr 2016 23:48:45 +0200 Subject: [PATCH 1/4] Restore testcase for absolute requests --- tests/test_serving.py | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tests/test_serving.py b/tests/test_serving.py index 9954f396e..a2c03ee26 100644 --- a/tests/test_serving.py +++ b/tests/test_serving.py @@ -24,6 +24,11 @@ except ImportError: watchdog = None +try: + import httplib +except ImportError: + from http import client as httplib + import requests import requests.exceptions import pytest @@ -39,6 +44,24 @@ def test_serving(dev_server): assert b'Werkzeug/' + version.encode('ascii') in rv +def test_absolute_requests(dev_server): + server = dev_server(''' + def app(environ, start_response): + assert environ['HTTP_HOST'] == 'surelynotexisting.example.com:1337' + assert environ['PATH_INFO'] == '/index.htm' + addr = environ['HTTP_X_WERKZEUG_ADDR'] + assert environ['SERVER_PORT'] == addr.split(':')[1] + start_response('200 OK', [('Content-Type', 'text/html')]) + return [b'YES'] + ''') + + conn = httplib.HTTPConnection(server.addr) + conn.request('GET', 'http://surelynotexisting.example.com:1337/index.htm#ignorethis', + headers={'X-Werkzeug-Addr': server.addr}) + res = conn.getresponse() + assert res.read() == b'YES' + + def test_broken_app(dev_server): server = dev_server(''' def app(environ, start_response): From abbbf9a3a4bd78b908ffcf82b73966bb14fa8926 Mon Sep 17 00:00:00 2001 From: Markus Unterwaditzer Date: Sun, 10 Apr 2016 23:51:43 +0200 Subject: [PATCH 2/4] Add testcase for #822 --- tests/test_serving.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/test_serving.py b/tests/test_serving.py index a2c03ee26..f44c3259f 100644 --- a/tests/test_serving.py +++ b/tests/test_serving.py @@ -62,6 +62,18 @@ def app(environ, start_response): assert res.read() == b'YES' +def test_double_slash_path(dev_server): + server = dev_server(''' + def app(environ, start_response): + assert 'fail' not in environ['HTTP_HOST'] + start_response('200 OK', [('Content-Type', 'text/plain')]) + return [b'YES'] + ''') + + r = requests.get(server.url + '//fail') + assert r.content == b'YES' + + def test_broken_app(dev_server): server = dev_server(''' def app(environ, start_response): From 413a978fa99f64d2abdfb8bddd1da5bf44bc52ec Mon Sep 17 00:00:00 2001 From: Markus Unterwaditzer Date: Sun, 10 Apr 2016 23:52:36 +0200 Subject: [PATCH 3/4] serving: absolute request URLs need a scheme Fix #822 --- werkzeug/serving.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/werkzeug/serving.py b/werkzeug/serving.py index eafb1cde3..d6abbc31d 100644 --- a/werkzeug/serving.py +++ b/werkzeug/serving.py @@ -125,7 +125,7 @@ def shutdown_server(): if key not in ('HTTP_CONTENT_TYPE', 'HTTP_CONTENT_LENGTH'): environ[key] = value - if request_url.netloc: + if request_url.scheme and request_url.netloc: environ['HTTP_HOST'] = request_url.netloc return environ From ecf41a327d786e4ad7d388607d96b4b247a8f989 Mon Sep 17 00:00:00 2001 From: Markus Unterwaditzer Date: Sun, 10 Apr 2016 23:55:43 +0200 Subject: [PATCH 4/4] Add changelog --- CHANGES | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGES b/CHANGES index 88d0c9443..5e2d4f350 100644 --- a/CHANGES +++ b/CHANGES @@ -11,6 +11,7 @@ Version 0.11.6 - increased the pin timeout to a week to make it less annoying for people which should decrease the change that users disable the pin check entirely. +- werkzeug.serving: Fix broken HTTP_HOST when path starts with double slash. Version 0.11.5 --------------