-
-
Notifications
You must be signed in to change notification settings - Fork 16.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Returned 200 for illegal request url #1541
Comments
@aftalavera see below picture. |
Posting an absolute URI is fine in principle, so I guess the only issue here is that Flask doesn't do strict validation of the IP address and the scheme? I don't really know if that's its job. |
@untitaker Yes, the issue is just what you said. I think maybe this is the responsibility of Werkzeug, but I'm not sure the design principle of Flask, so I issue it here. |
Not even Werkzeug, but whatever is parsing the original HTTP request. I'm not even sure if we should reject the request or just fall back to sensible defaults. |
@untitaker I have read Werkzeug code and found out Hopes that will help you. |
I'd consider this invalid, the development server is rather minimalistic, production servers do the validation |
👍 for invalid. The dev server is not suitable for anything but development (and even then I'd run it behind nginx if there are lots of static assets so those requests aren't served by the dev server at all) so I don't think there's any important reason to be more strict in parsing HTTP requests as long as it works fine with valid requests. |
I now have to agree with Adrian and Ronny, Flask/Werkzeug is not in a position to decide what a valid IP address is. |
Flask version is 0.10.1 and the below is code of server side.
The below is input and output of
netcat
tool.The text was updated successfully, but these errors were encountered: