Fix append_slash_redirect when PATH_INFO has internal slashes #2338
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
(This seems to have been a contentious issue — please don't hate me.)
This addresses an issue — reported before in #1972 — namely that
werkzeug.utils.append_slash_redirect
does not work correctly ifPATH_INFO
contains internal slashes.Suppose a request comes in for
http://example.com/app/foo/bar
. Assume this makes it to the WSGI app withenviron["SCRIPT_NAME"] = "/app"
andenviron["PATH_INFO"] = "/foo/bar"
. The app, in order to append a slash to the URL returnsappend_slash_redirect(environ)
. As things stand, this issues a redirect to the relative path"foo/bar/"
. That path gets interpreted relative to the base URL implied by the original request ("http://example.com/app/foo/bar"
) resulting in a final location of"http://example.com/app/foo/foo/bar/"
. This is not quite what is wanted — onefoo
is enough for us.The solution is to redirect to a relative path (as is currently done), but redirect to a relative path that contains only the trailing component PATH_INFO.
This PR fixes that and includes new tests that exercise the problem.
Relation to Prior Work
Note that this issue is subtly different than that purportedly "fixed" by PR #1538. PR #1538, as demonstrated by the tests included in that PR wants to redirect to an absolute path based on
PATH_INFO
. This results in (incorrectly) discarding any leading path components that may be in SCRIPT_NAME.There is also #1842. Due to its brevity, it is unclear precisely what issue is being described therein, but the proposed fix is the same as the (incorrect) solution proposed in #1538.
Issues Fixed
append_slash_redirect
misredirects #1972Checklist
CHANGES.rst
summarizing the change and linking to the issue... versionchanged::
entries in any relevant code docs.pre-commit
hooks and fix any issues.pytest
andtox
, no tests failed.