Host header is not validated #646
Comments
|
Thanks! It'd be useful to know if h11 has this problem so we'd know if #201 would address this problem. |
|
@kasium would something like this be a smaller repro? from cheroot.wsgi import Server, PathInfoDispatcher
Server(bind_addr=("localhost", 5001), wsgi_app=PathInfoDispatcher({})).safe_start() |
|
@webknjaz this does not show the issue for me |
|
@kasium are you saying that it's Flask that crashes when it sees something it doesn't expect? It could be useful to get a PR with test cases for valid and invalid values of the header. |
|
Yes, flask assumes that the Header was validated before but it's not. |
|
@kasium would you mind composing a pull request with an acceptance/regression test for this? It'd be useful to merge it in even without an implementation (marked with xfail). |
|
Sure, let me have a look later this week |
|
@webknjaz to write a test I need to know where a validation would happen. Also the error does only occur if e.g. a wsgi app parses the header later down the stack. I checked the cheroot code further and I think the best place for such a validation would be |
|
Just wondering if this would help? #722 |
β I'm submitting a ...
π Describe the bug. What is the current behavior?
An invalid host header which does not conform idna is just passed to the underlying wsgi application w/o any validation
β What is the motivation / use case for changing the behavior?
If the host header contains invalid data, this this data is passed as the HTTP_HOST environment field. It can lead to various issues
π‘ To Reproduce
Code
Now send a request to the server where you set the
Hostheader field tofoobar/...π‘ Expected behavior
Cheroot declines requests with invalid host header field.
π Environment
π Additional context
This was already reported to flask pallets/flask#5392
The text was updated successfully, but these errors were encountered: