New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Werkzeug incorrectly handles multiline headers #1080
Comments
HTTP headers do not allow newlines. The section you're quoting talks about folding, which ought to remove newlines from the unfolded value. This:
should get unfolded to something like this:
Apart from that, Werkzeug doesn't parse HTTP at this level, this is the job of the WSGI server. The only reason it rejects newlines when parsing requests is to catch security issues. |
This ticket was motivated by the real-life behavior of Flask in development mode behind an nginx proxy forwarding client certs. With that setup, I observed newlines in the headers being passed to the application. But when I attempted to replicate this in a unit test I got the above I did a bit more research on this issue and found the following:
So this means that there are two bugs here:
|
Fair enough. There's also #1070 which plays into this. |
Fairly sure this was fixed with the fix for #1070. If not, please let me know with a reproducible example. |
@davidism As I mentioned in a previous comment, there are actually two bugs here, neither of which has been fixed on the current master branch. The first bug involves how the werkzeug development server handles line-wrapped headers. It can be reproduced with the following server code, which prints the value of the
We can then send it a request with a header spanning multiple lines:
Expected server output:
Actual server output (Python 2):
Actual server output (Python 3):
The second bug has to do with how the
Expected result: Actual result: |
I was seeing the ------UPDATE-------: I tracked down what headers we were passing and one of them was a multi-line cert in pem format i.e.:
Our nginx server was configured like so:
We should probably be using Hoping this helps anyone else that is running into this problem. It appears that |
This is a 2.7 issue again caused by the header processing of the development server. I am adding the ability to process folding of headers to the 2.7 compatibility code for request headers. |
Confirmed that development server bug is now fixed in both Python 2 and 3. The second issue with the |
According to RFC 2616:
However, werkzeug does not accept header values with newlines, even if they abide by this convention.
Also, this restriction is applied inconsistently.
I ran into this issue when trying to write test cases relating to nginx forwarding of client certificates via headers, so there is a real use case for supporting this properly.
The text was updated successfully, but these errors were encountered: