You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
does not apply any parameters other than max at all.
In another case, for example: <string(minLength=8;maxlength=32):my_value>
minLength=8 - also not applied
but in case you write it like this: <string(minlength=8;maxLength=32):my_value>
an exception occurs:
UnicodeConverter:
..\site-packages\werkzeug\routing\converters.py:254 and :77
..\site-packages\werkzeug\routing\rules.py:578
TypeError: init() got an unexpected keyword argument 'maxLength'
what do I see as the solutions to this situation?
describe the correct syntax in the documentation, so that it would be a complete and exhaustive description (currently the syntax is only specified for python function arguments, but not for rule_route).
fix checking of parameter syntax in the stringtype fragment of rule_route
execute both items 1 and 2 at once.
below is the full traceback of the error:
if syntax: <string(minlength=8,maxLength=32):my_value>
File "...\lib\site-packages\flask\sansio\scaffold.py", line 44, in wrapper_func
return f(self, *args, **kwargs)
File "...\lib\site-packages\flask\sansio\app.py", line 655, in add_url_rule
self.url_map.add(rule)
File "...\lib\site-packages\werkzeug\routing\map.py", line 169, in add
rule.bind(self)
File "...\lib\site-packages\werkzeug\routing\rules.py", line 563, in bind
self.compile()
File "...\lib\site-packages\werkzeug\routing\rules.py", line 708, in compile
self._parts.extend(self._parse_rule(rule))
File "...\lib\site-packages\werkzeug\routing\rules.py", line 614, in _parse_rule
convobj = self.get_converter(
File "...\lib\site-packages\werkzeug\routing\rules.py", line 578, in get_converter
return self.map.converters[converter_name](self.map, *args, **kwargs)
TypeError: __init__() got an unexpected keyword argument 'maxLength'
if syntax: <string(minlength=8;maxLength=32):my_value>
File "...\lib\site-packages\flask\sansio\scaffold.py", line 44, in wrapper_func
return f(self, *args, **kwargs)
File "...\lib\site-packages\flask\sansio\app.py", line 655, in add_url_rule
self.url_map.add(rule)
File "...\lib\site-packages\werkzeug\routing\map.py", line 169, in add
rule.bind(self)
File "...\lib\site-packages\werkzeug\routing\rules.py", line 563, in bind
self.compile()
File "...\lib\site-packages\werkzeug\routing\rules.py", line 708, in compile
self._parts.extend(self._parse_rule(rule))
File "...\lib\site-packages\werkzeug\routing\rules.py", line 614, in _parse_rule
convobj = self.get_converter(
File "...\lib\site-packages\werkzeug\routing\rules.py", line 578, in get_converter
return self.map.converters[converter_name](self.map, *args, **kwargs)
TypeError: __init__() got an unexpected keyword argument 'maxLength'
if syntax: <string(min_my_any_incorrect_input_length=8;maxlength=32):my_value>
the error is not present, but is expected to be present
if syntax:
<string(min_my_any_incorrect_input_length=8,maxlength=32):my_value>
File "...\lib\site-packages\flask\sansio\scaffold.py", line 44, in wrapper_func
return f(self, *args, **kwargs)
File "...\lib\site-packages\flask\sansio\app.py", line 655, in add_url_rule
self.url_map.add(rule)
File "...\lib\site-packages\werkzeug\routing\map.py", line 169, in add
rule.bind(self)
File "...\lib\site-packages\werkzeug\routing\rules.py", line 563, in bind
self.compile()
File "...\lib\site-packages\werkzeug\routing\rules.py", line 708, in compile
self._parts.extend(self._parse_rule(rule))
File "...\lib\site-packages\werkzeug\routing\rules.py", line 614, in _parse_rule
convobj = self.get_converter(
File "...\lib\site-packages\werkzeug\routing\rules.py", line 578, in get_converter
return self.map.converters[converter_name](self.map, *args, **kwargs)
TypeError: __init__() got an unexpected keyword argument 'min_my_any_incorrect_input_length'
Once again, let's rephrase what was said:
if a delimiter is specified, e.g. ";", when "," is expected, then the parameters and their correct syntax are not checked, and the invalid syntax exception is not raised, both for the delimiter character ";" and for an invalid parameter name, e.g. (from the code snippets above) "min_my_any_incorrect_input_length".
In this case, the compilation of the application (in my case flask) completes without error, and min & max length are expected to work correctly.
This could create potential security threats, but I don't think it's worth listing the possible variations of potential vulnerabilities.
Environment:
Python version: 3.9.10
Werkzeug version: 3.0.0
The text was updated successfully, but these errors were encountered:
killershotpy
changed the title
Built-in Converters not check parameters
Built-in converters do not check syntax of the parameters
Dec 24, 2023
Hey, everybody.
I noticed that default Converters do not check correct syntax of parameters such as:
when using the ";" delimiter instead of "," (there is no clear and exhaustive description of this in the documentation, for example here: https://werkzeug.palletsprojects.com/en/3.0.x/routing/#built-in-converters).
does not cause an exception to be thrown, moreover, the syntax of this kind:
does not apply any parameters other than max at all.
In another case, for example:
<string(minLength=8;maxlength=32):my_value>
minLength=8 - also not applied
but in case you write it like this:
<string(minlength=8;maxLength=32):my_value>
an exception occurs:
what do I see as the solutions to this situation?
below is the full traceback of the error:
<string(minlength=8,maxLength=32):my_value>
<string(minlength=8;maxLength=32):my_value>
if syntax:
<string(min_my_any_incorrect_input_length=8;maxlength=32):my_value>
the error is not present, but is expected to be present
if syntax:
<string(min_my_any_incorrect_input_length=8,maxlength=32):my_value>
Once again, let's rephrase what was said:
if a delimiter is specified, e.g. ";", when "," is expected, then the parameters and their correct syntax are not checked, and the invalid syntax exception is not raised, both for the delimiter character ";" and for an invalid parameter name, e.g. (from the code snippets above) "min_my_any_incorrect_input_length".
In this case, the compilation of the application (in my case flask) completes without error, and min & max length are expected to work correctly.
This could create potential security threats, but I don't think it's worth listing the possible variations of potential vulnerabilities.
Environment:
The text was updated successfully, but these errors were encountered: