ref(wsgi): Update _werkzeug vendor to newer version #4793
Conversation
| host = host[:-3] | ||
| elif scheme in {"https", "wss"} and host.endswith(":443"): | ||
| host = host[:-4] | ||
|
|
There was a problem hiding this comment.
π Here werkzeug have a condition for trusted hosts: https://github.com/pallets/werkzeug/blob/3.1.3/src/werkzeug/sansio/utils.py#L98
Why we don't use it?
There was a problem hiding this comment.
I assume because we're only using the get_host function to reconstruct the request URL and not any actual functionality.
| host = f"[{host}]" | ||
|
|
||
| if server[1] is not None: | ||
| host = f"{host}:{server[1]}" # noqa: E231 |
There was a problem hiding this comment.
ποΈ I had to define this because of:
E231 missing whitespace after ':'
75b9810 to
dab33fb
Compare
Codecov Reportβ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #4793 +/- ##
==========================================
- Coverage 84.47% 83.41% -1.07%
==========================================
Files 158 158
Lines 16506 16512 +6
Branches 2865 2864 -1
==========================================
- Hits 13944 13773 -171
- Misses 1712 1889 +177
Partials 850 850
|
30d3040 to
ba2c350
Compare
ba2c350 to
6238c21
Compare
| return None | ||
|
|
||
| try: | ||
| port = int(environ.get("SERVER_PORT", None)) # type: ignore[arg-type] |
There was a problem hiding this comment.
This # type was introduced in main branch not in 3.1.3
| environ["wsgi.url_scheme"], | ||
| environ.get("HTTP_HOST"), | ||
| _get_server(environ), | ||
| ) |
There was a problem hiding this comment.
Bug: Host Detection Functionality Broken
The get_host function now ignores the use_x_forwarded_for parameter. This means it no longer checks for HTTP_X_FORWARDED_HOST headers, breaking existing functionality that relies on forwarded host detection.
| """ | ||
| if use_x_forwarded_for and "HTTP_X_FORWARDED_HOST" in environ: | ||
| rv = environ["HTTP_X_FORWARDED_HOST"] | ||
| if environ["wsgi.url_scheme"] == "http" and rv.endswith(":80"): | ||
| rv = rv[:-3] | ||
| elif environ["wsgi.url_scheme"] == "https" and rv.endswith(":443"): | ||
| rv = rv[:-4] | ||
| elif environ.get("HTTP_HOST"): | ||
| rv = environ["HTTP_HOST"] | ||
| if environ["wsgi.url_scheme"] == "http" and rv.endswith(":80"): | ||
| rv = rv[:-3] | ||
| elif environ["wsgi.url_scheme"] == "https" and rv.endswith(":443"): | ||
| rv = rv[:-4] | ||
| elif environ.get("SERVER_NAME"): | ||
| rv = environ["SERVER_NAME"] | ||
| if (environ["wsgi.url_scheme"], environ["SERVER_PORT"]) not in ( | ||
| ("https", "443"), | ||
| ("http", "80"), | ||
| ): | ||
| rv += ":" + environ["SERVER_PORT"] | ||
| else: | ||
| # In spite of the WSGI spec, SERVER_NAME might not be present. | ||
| rv = "unknown" | ||
|
|
||
| return rv | ||
| return _get_host( | ||
| environ["wsgi.url_scheme"], | ||
| environ.get("HTTP_HOST"), | ||
| _get_server(environ), | ||
| ) |
There was a problem hiding this comment.
Potential bug: The new get_host function ignores the use_x_forwarded_for parameter and no longer checks for the HTTP_X_FORWARDED_HOST header, causing a functional regression.
-
Description: The refactored
get_hostfunction no longer handles theHTTP_X_FORWARDED_HOSTheader, even when theuse_x_forwarded_forparameter isTrue. This is a regression from the previous implementation. In a proxied environment where theHTTP_HOST(the proxy's host) differs fromHTTP_X_FORWARDED_HOST(the client's original host), this will cause incorrect request URLs to be generated and reported in Sentry events. This affects integrations like Django wheresettings.USE_X_FORWARDED_HOSTis used to control this behavior. -
Suggested fix: Reinstate the logic to check for
environ['HTTP_X_FORWARDED_HOST']whenuse_x_forwarded_forisTrue. If the header is present, its value should be used as the host, preserving the behavior of the previous implementation for proxied environments.
severity: 0.65, confidence: 0.95
Did we get this right? π / π to inform future reviews.
|
Thanks for the PR @mgaligniana -- I think the |
Fixes GH-3516