New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dev server redirects to arbitrary url when path starts with double slash // #1639
Comments
|
As the documentation states the integrated server is intended for development environments only:
This doesn't seem like an issue to me, or does this happen with other servers as well (gunicorn, uwsgi, etc.)? |
|
I didn't test with other servers but I ran the Flask server and the issue happened. Use the code above, run the server, and check the requests and responses. |
|
I tested in Firefox, Chrome, and Opera and redirected to domains such as google.com, bing.com, yahoo.com, and msn.com.
This bug exists in Flask on Why do |
|
You are not supposed to do that. Open redirects are mostly an issue on
high-profile/trusted sites and those are even less likely to use the dev
server in production.
@davidism: 301 redirect maybe? That'd explain why it happens for you with
no server running.
|
If I run the service on Linux with bash and access the Flask app, this is an issue. Example: http://148.251.25.244:9090//google.com |
|
The dev server is not acceptable for any production setup, period. If someone uses it anyway, it's his fault if his box gets pwned or abused. I just looked into it and the problem happens due to an incorrect |
|
Can someone still report a bug to werkzeug perhaps so it can decide on how to handle this? |
|
OK, this is not a flask bug, possibly not even a werkzeug bug. The double slash results in the |
|
You mean the issue is here? class WSGIRequestHandler(BaseHTTPRequestHandler, object):
"""A request handler that implements WSGI dispatching."""
@property
def server_version(self):
return 'Werkzeug/' + werkzeug.__version__
def make_environ(self):
request_url = url_parse(self.path) ### issue here? |
|
Yes. |
|
Ultimately, the answer is still the same: don't use the dev server in production, it is not designed to be secure. At this point, it's clear that this is not a Flask bug, and it has been reported in pallets/werkzeug#822. Closing. |
If I try to navigate to http://127.0.0.1:8000//google.com (2 slashes), I get redirected to google.com. I correctly get a 404 with http://127.0.0.1:8000/google.com (1 slash) and http://127.0.0.1:8000///google.com (3 slashses). This is a vulnerability, I shouldn't be redirected to arbitrary urls. Flask should prevent arbitrary redirects from urls.
The text was updated successfully, but these errors were encountered: