Open BSVogler opened 3 years ago
I think that port should be a part of baseUrl in this case.
If you initialize the client with baseUrl that already contains port is it resolve the issue?
Yes, it resolves the issue, but my point is that this should not throw the error when you configure it without the port. Maybe just check for the hostname e.g.
if urllib.parse.urlparse(self.url).netloc == urllib.parse.urlparse(path).netloc
The strict check was done for security reasons.
Unfortunately netloc
will not work. First of all, it keeps port anyway.
>>> urlparse('http://localhost:8080/fhir')
ParseResult(scheme='http', netloc='localhost:8080', path='/fhir', params='', query='', fragment='')
Secondly, we need to check a path as well. In some cases, more than only the FHIR server can be launched on the same domain.
http://example.com -> points to some landing page
http://example.com/fhir -> points to fhir server
http://example.com/admin -> point to 3dparty web app
In case of FHIR server misconfiguration, it is possible that during pagination the request may be sent to the wrong URL that handles with another software. It will cause token exposure.
When it shall be really strict we need to have the match of the exact url and derive the default port when not given.
parsed_next = urllib.parse.urlparse(self.url)
if parsed_next.port!='':
parsed = urllib.parse.urlparse(path)
if parsed.port == '' and parsed.scheme == "https":
path=parsed.scheme+'://'+ parsed.netloc+':443'+ parsed.path
if self.url in path:
When using paginated requests the returned URL may contain the port. This results in the check in https://github.com/beda-software/fhir-py/blob/4296920de216acc8915a6bbcee581428ce1569cd/fhirpy/base/lib.py#L81
to raise an exception although the base URL is the same. E.g. it crashes with