Crash on /packages/?self=1

[rubenwardy]

Crash when accessing content.minetest.net/packages/?self=1

  File "/home/cdb/app/blueprints/packages/packages.py", line 112, in list_all
    return render_template("packages/list.html",
  File "/usr/local/lib/python3.10/site-packages/flask/templating.py", line 147, in render_template
    return _render(app, template, context)
  File "/usr/local/lib/python3.10/site-packages/flask/templating.py", line 130, in _render
    rv = template.render(context)
  File "/usr/local/lib/python3.10/site-packages/jinja2/environment.py", line 1301, in render
    self.environment.handle_exception()
  File "/usr/local/lib/python3.10/site-packages/jinja2/environment.py", line 936, in handle_exception
    raise rewrite_traceback_stack(source=source)
  File "/home/cdb/app/templates/packages/list.html", line 1, in top-level template code
    {% extends "base.html" %}
  File "/home/cdb/app/templates/base.html", line 204, in top-level template code
    <input type="hidden" name="r" value="{{ url_set_query() }}" />
  File "/home/cdb/app/utils/flask.py", line 107, in url_set_query
    return url_for(request.endpoint, **dargs)
  File "/usr/local/lib/python3.10/site-packages/flask/helpers.py", line 256, in url_for
    return current_app.url_for(
TypeError: Flask.url_for() got multiple values for argument 'self'

[sda97ghb]

Seems like a bug in Flask. I created an issue there https://github.com/pallets/flask/issues/5258

Also, since the error happens in the rendering of templates/base.html, it can be reproduced with any page, e.g.

• content.minetest.net/?self=1
• content.minetest.net/users/?self=1
• and so on

[rubenwardy]

Perhaps url_for isn't meant for untrusted data, and I should be using another method to get the current page's URL

[rubenwardy]

This is fixed in flask 3.0