Returned 200 for illegal request url

[loggerhead]

Flask version is 0.10.1 and the below is code of server side.

from flask import Flask
app = Flask(__name__)

@app.route('/')
def hello_world():
    return 'Hello World!'

if __name__ == '__main__':
    app.run()

The below is input and output of netcat tool.

GET foo://127.999.999.999/ HTTP/1.1

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 12
Server: Werkzeug/0.10.4 Python/2.7.10
Date: Tue, 28 Jul 2015 02:56:03 GMT

Hello World!

[loggerhead]

@aftalavera see below picture.

[untitaker]

Posting an absolute URI is fine in principle, so I guess the only issue here is that Flask doesn't do strict validation of the IP address and the scheme? I don't really know if that's its job.

[loggerhead]

@untitaker Yes, the issue is just what you said. I think maybe this is the responsibility of Werkzeug, but I'm not sure the design principle of Flask, so I issue it here.

[untitaker]

Not even Werkzeug, but whatever is parsing the original HTTP request.

I'm not even sure if we should reject the request or just fall back to sensible defaults.

[loggerhead]

@untitaker I have read Werkzeug code and found out WSGIRequestHandler in werkzeug/serving.py inherit BaseHTTPRequestHandler and it's parse_request method do the parsing thing.

Hopes that will help you.

[RonnyPfannschmidt]

I'd consider this invalid, the development server is rather minimalistic, production servers do the validation

[ThiefMaster]

👍 for invalid. The dev server is not suitable for anything but development (and even then I'd run it behind nginx if there are lots of static assets so those requests aren't served by the dev server at all) so I don't think there's any important reason to be more strict in parsing HTTP requests as long as it works fine with valid requests.

[untitaker]

I now have to agree with Adrian and Ronny, Flask/Werkzeug is not in a position to decide what a valid IP address is.