Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid request.url when full URI is used as SERVER_NAME #2457

Open
PromyLOPh opened this issue May 17, 2022 · 6 comments · May be fixed by #2458
Open

Invalid request.url when full URI is used as SERVER_NAME #2457

PromyLOPh opened this issue May 17, 2022 · 6 comments · May be fixed by #2458
Assignees
@sjsadowski
Labels
bug needs investigation

Comments

@PromyLOPh
Copy link

Describe the bug
When using a full URL as config.SERVER_NAME the request’s URL (request.url) is invalid, as it contains two colons. The code does not properly split the SERVER_NAME, keeping the colon. Splitting on "://" instead works for me, but the code remains very fragile.

Code snippet

from sanic import Sanic
from sanic.response import text

app = Sanic("MyHelloWorldApp")
app.config.SERVER_NAME = 'https://www.example.com/api'

@app.get("/foo")
async def foo_handler(request):
        return text(f'{request.url}')
$ curl localhost:8001/foo
https:://www.example.com/foo

Expected behavior
The URL should be valid.

$ curl localhost:8001/foo
https://www.example.com/foo

Environment (please complete the following information):

  • OS: Linux-5.4.0-110-generic-x86_64-with-glibc2.33
  • Version Sanic v21.12.1
@sjsadowski
Copy link
Contributor

https://www.example.com/api is not a valid server name, it is a complete URI. With that being said, '/' is an invalid character for a hostname, and this should be throwing an error. It should also be documented that SERVER_NAME should be RFC1123 compliant when used.

We will look at including an appropriate fix that errors out when using invalid characters and document this appropriately.

@sjsadowski sjsadowski self-assigned this May 17, 2022
@sjsadowski sjsadowski added the bug label May 17, 2022
@sjsadowski sjsadowski changed the title Invalid request.url with full SERVER_NAME Invalid request.url when full URI is used as SERVER_NAME May 17, 2022
@Tronic
Copy link
Member

Tronic commented May 17, 2022

Was something changed? I recall myself implementing support for full URL SERVER_NAME a few years back, although IIRC it wouldn't (yet) support path but at least you could say https to provide correct scheme on external URLs instead of http as used when running behind Nginx.

@sjsadowski
Copy link
Contributor

@Tronic It hasn't changed, but the internal documentation refers to it being used when host_name isn't present, which in itself is probably wrong. In reality there probably needs to be an "external_url" config item that passes a full path when needed.

In reality, it's not well documented, and since everyone can interpret server_name differently, it probably should be documented specifically.

It's also concerning because the colon issue may be problematic if using an IPv6 address which probably needs investigation as well.

ref: https://sanic.readthedocs.io/en/stable/sanic/api/app.html -> url_for section

@PromyLOPh
Copy link
Author

As a bit of background: I am trying to host a sanic application behind a nginx reverse proxy mounted on a non-root path. Unfortunately the documentation provides no information on how to do this and standard ASGI with a root_path does not work. Instead #1731 suggest to use SERVER_NAME with a path, which works for url_for, but then I run into the issue reported here. I’m using request.url and the Origin header to prevent XSRF.

@ahopkins
Copy link
Member

ahopkins commented May 18, 2022
edited

This is indeed a bug.

app = Sanic(__name__)
app.config.SERVER_NAME = "http://www.myserver.com/nested"


@app.get("/handler")
async def handler(request: Request):
    return json(
        {
            "url": request.url,
            "scheme": request.scheme,
            "host": request.host,
            "path": request.path,
        }
    )
{
  "url": "http:://www.myserver.com/handler",
  "scheme": "http:",
  "host": "www.myserver.com",
  "path": "/handler"
}

@PromyLOPh would you be willing to submit a PR for us? Should be a small fix to parsing of the scheme. It is just a matter of adding .strip(":") to the end of this line and hopefully adding a test or two.

sanic/sanic/request.py

Line 715 in 5d683c6

return self.app.config.SERVER_NAME.split("//")[0]

@PromyLOPh
Copy link
Author

Sure, I can prepare a PR.

PromyLOPh added a commit to leibniz-psychology/bawwab that referenced this issue May 18, 2022
@PromyLOPh
session: Work around sanic bug
6f4b89a 
Upstream issue at sanic-org/sanic#2457
@PromyLOPh PromyLOPh linked a pull request May 18, 2022 that will close this issue
Draft
@prryplatypus prryplatypus linked a pull request May 26, 2022 that will close this issue
Fix request.url with full URI as SERVER_NAME #2458
Draft
@prryplatypus prryplatypus removed a link to a pull request May 26, 2022
Fix request.url with full URI as SERVER_NAME #2458
Draft
@ChihweiLHBird ChihweiLHBird linked a pull request Jun 21, 2022 that will close this issue
Fix request.url with full URI as SERVER_NAME #2458
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjsadowski sjsadowski

Labels
bug needs investigation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix request.url with full URI as SERVER_NAME PromyLOPh/sanic
4 participants
@PromyLOPh @Tronic @ahopkins @sjsadowski