Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Werkzeug incorrectly handles multiline headers #1080
According to RFC 2616:
However, werkzeug does not accept header values with newlines, even if they abide by this convention.
Also, this restriction is applied inconsistently.
I ran into this issue when trying to write test cases relating to nginx forwarding of client certificates via headers, so there is a real use case for supporting this properly.
HTTP headers do not allow newlines. The section you're quoting talks about folding, which ought to remove newlines from the unfolded value. This:
should get unfolded to something like this:
Apart from that, Werkzeug doesn't parse HTTP at this level, this is the job of the WSGI server. The only reason it rejects newlines when parsing requests is to catch security issues.
This ticket was motivated by the real-life behavior of Flask in development mode behind an nginx proxy forwarding client certs. With that setup, I observed newlines in the headers being passed to the application. But when I attempted to replicate this in a unit test I got the above
I did a bit more research on this issue and found the following:
So this means that there are two bugs here:
@davidism As I mentioned in a previous comment, there are actually two bugs here, neither of which has been fixed on the current master branch.
The first bug involves how the werkzeug development server handles line-wrapped headers. It can be reproduced with the following server code, which prints the value of the
We can then send it a request with a header spanning multiple lines:
Expected server output:
Actual server output (Python 2):
Actual server output (Python 3):
The second bug has to do with how the
I was seeing the
I tracked down what headers we were passing and one of them was a multi-line cert in pem format i.e.:
Our nginx server was configured like so:
We should probably be using
Hoping this helps anyone else that is running into this problem. It appears that