Flask ignores multiple slashes at the beginning of the path

pallets / flask

The Python micro framework for building web applications.

https://flask.palletsprojects.com

BSD 3-Clause "New" or "Revised" License

67.5k stars 16.14k forks source link

Flask ignores multiple slashes at the beginning of the path #5489

Closed Kotifnat closed 3 months ago

Kotifnat commented 3 months ago

Environment:

Python version: 3.8.14
Flask version: 2.3.2

I have a paths with prefix /admin. if you follow a path containing this prefix, proxy before app see this and asks mTLS auth. But when i follow this path with multiple slashes at the beginning (ex //admin, ///admin) proxy ignore this, but flask think that this is the same path as /admin and return values, client must not see. I think this should not work like this

davidism commented 3 months ago

This is deliberate. If you know your HTTP server will handle it correctly, you can disable merge_slashes on url_map or a Rule: https://werkzeug.palletsprojects.com/en/3.0.x/routing/#rule-format