-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't use urlsplit on request path #260
Comments
That just looks like a scheme-relative url. Not sure why you’re passing the path to urlsplit instead of the whole url. Does pep3333 say servers should collapse |
@mmerickel there is no whole URL when parsing a However, the following is ALSO a legal
This form is only ever used when the server is a proxy server, and it is not likely to exist in the wild. But that means both cases do need to get handled. As for it being a scheme relative URL, it is not, the URL that was accessed by the client was:
Which gets turned into this by curl and friends:
|
Lines 200 to 208 in 94e2311
Specifically this is the |
ok well if you have some context that says it's in the status line of a request then you know you don't support relative urls so you can normalize it right? |
I wasn't clear from your original issue that this is specifically about cracking the first line of a request. |
You have since edited it to be more clear, but I read it before the edits. :p |
It was 02:15 in the morning when I first found the issue and added this issue to the issue tracker. I realize that I had a bunch of additional context in my head that was not in the issue. Sorry for not making it more clear. The issue here is that we crack the first line, and then pass that uri from that to urlsplit. If we are a proxy server then that makes sense, because we will get a full URL and urlsplit will do its magic correctly. If however we have just a path + query string, then urlsplit fails miserably when the path starts with two Basically this needs to change to:
|
Is it not enough to check specifically for the |
@mmerickel and then add it back before setting it as the path? It is valid to send |
The HTTP spec states that it is acceptable to send a request like: GET //whatever/testing HTTP/1.1 This should get properly conveyed to the WSGI application, but due to the way that urlsplit works in the standard library this did not happen correctly. With this fix we pass through the original path as requested by the client, and the WSGI application will be responsible for collapsing multiple empty path segments as necessary. Fixes #260
The HTTP spec states that it is acceptable to send a request like: GET //whatever/testing HTTP/1.1 This should get properly conveyed to the WSGI application, but due to the way that urlsplit works in the standard library this did not happen correctly. With this fix we pass through the original path as requested by the client, and the WSGI application will be responsible for collapsing multiple empty path segments as necessary. Fixes #260
waitress/waitress/parser.py
Line 257 in 94e2311
This leads to things like:
Which means we accidentally drop
testing
before sending it on to the WSGI application. Ask me later how I figured that out.A request such as:
Is perfectly valid. Non-sensical maybe, but perfectly valid.
The text was updated successfully, but these errors were encountered: