Comments (8)
A patch for moin by a moin user is attached to that page:
http://moinmo.in/MoinMoinBugs/PageEditorAndPageNamesWithColons
from werkzeug.
After looking at werkzeug.urls, urllib, urlparse, I think the issue is the strange safe='/:' default of werkzeug.url_quote.
That default is different btw. from werkzeug._quote and also different from urllib.quote, which both have safe='/' default.
When reading Href docstring, it tells it is only dealing with path stuff (so no absolute urls with scheme: part are expected in the *path). But, if you have "foo:bar" there, it does not urlquote the colon, because colon is in the default safe list .
Thus, urllib.urljoin (which is MADE to deal with absolute URLs as 2nd argument) will get it wrong and think foo: is some scheme.
I suggest to change the werkzeug.url_quote() to use safe='/' default.
That will bring it in sync again with stdlib urllib.quote() again which also has safe='/' as default.
This will fix such issues as colons will become %3a then, so urljoin / urlparse don't think there is a scheme. There can't be a scheme, we are dealing with pathes, see Href docs.
from werkzeug.
From urlparse.urljoin(base, url) docs:
If url is an absolute URL (that is, starting with // or scheme://), the url‘s host name and/or scheme will be present in the result.
If you do not want that behavior, preprocess the url with urlsplit() and urlunsplit(), removing possible scheme and netloc parts.
from werkzeug.
diff -r c12c28282eab MoinMoin/support/werkzeug/utils.py --- a/MoinMoin/support/werkzeug/utils.py Sun Apr 17 19:47:04 2011 +0200 +++ b/MoinMoin/support/werkzeug/utils.py Sun Apr 17 23:10:36 2011 +0200 @@ -643,6 +643,11 @@ if path: if not rv.endswith('/'): rv += '/' + _scheme, _netloc, _path, _query, _fragment = urlparse.urlsplit(path) + if _scheme or _netloc: + # we only wanted path, ... but got something that would be + # misinterpreted as having a scheme and/or a netloc. Fix this: + path = './' + path rv = urlparse.urljoin(rv, path) if query: rv += '?' + url_encode(query, self.charset, sort=self.sort,
from werkzeug.
Can you provide a patch with testcase for pulling?
from werkzeug.
I don't use git, sorry, thus no git pull from me.
Do you want a patch?
from werkzeug.
Mainly a testcase :)
from werkzeug.
We only accept path components as arguments, it is not expected that you give a full url with scheme and netloc (or something that looks similar to one) when calling a Href instance: >>> href = Href('/base') >>> href('foo:bar') # 'foo:' is NOT a scheme here! '/base/foo:bar' >>> href('//bar') # '//bar' is NOT a netloc here! '/base/bar' >>> href('foo://bar') # 'foo://bar' is NOT scheme and netloc here! '/base/foo://bar'
While the first one is as wanted and expected, the second and third test case show weird stuff / problems:
For '//bar', it loses a slash, while for 'foo://bar' it does not.
So I think we have found a design problem here:
If *path would only be expected to get single path COMPONENTS, we could expect that these components usually do not contain slashes. If they in fact do contain slashes, we maybe could escape them (because that would mean the component has a slash in its name, not that the component is meant to be two path components in a single string).
Needs more thinking...
from werkzeug.
Related Issues (20)
- Double slashes aren't being handled correctly
- send_file does not include mimetype .webp images HOT 2
- `Rule.endpoint` type annotation doesn't comply with the documentation
- werkzeug > 2.2.2 throws WinError 10038 during flask debug app reload HOT 2
- ProxyFix with x_port should skip standard 80 or 443 ports HOT 6
- `pyright` in strict mode errors when using `formparser.MultiPartParser.parse`
- MultiDict does not handle None values HOT 1
- Test regression with pytest-8.0.0: `tests/test_exceptions.py::test_response_body[RequestRedirect]` HOT 2
- Add "421 Misdirected Request" http exception
- Update runtime dependencies HOT 1
- Random "ssl.SSLEOFError: EOF occurred in violation of protocol" when handling HTTP 206 HOT 2
- OSError: [WinError 10038] An operation was attempted on something that is not a socket HOT 2
- `FileStorage.name` should be the filename HOT 2
- Use of Python 2 `print` statement in quickstart docs
- Handle AssertionError for fkask-socketio HOT 2
- BaseWSGIServer: throw exception on bind failure rather than calling sys.exit() HOT 4
- TLS connection not properly closed HOT 1
- Inaccurate Content-Range header in for partial content responses. HOT 1
- Test failures with pytest-xprocess-1.0.1 HOT 4
- Uploading a file of a specific size causes the server to hang up HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from werkzeug.