search

pallets / werkzeug

The comprehensive WSGI web application library.
https://werkzeug.palletsprojects.com
BSD 3-Clause "New" or "Revised" License
6.63k stars 1.73k forks source link

Built-in debugger malfunctions when url parameters are present #2918

Closed 0xC4DE closed 3 weeks ago

0xC4DE commented 2 months ago

When using flask, with debug enabled, and attempting to debug a page with any URL parameter present, the debugger will malfunction and throw the error: "Error: Could not verify PIN. Network error?" it also does not print the debugger pin into the console, unless upon startup

To replicate this, make a simple Flask test app that throws an error like so:

from flask import Flask

app = Flask(__name__)
@app.route("/")
def hello_world():
    raise
    return "<p>Hello, World!</p>"

if __name__ == "__main__":

Now, navigate to localhost:5000. After which the debug terminal will appear and work as intended. This is what appears in the console:

27.0.0.1 - - [26/Jun/2024 12:37:39] "GET /?__debugger__=yes&cmd=resource&f=debugger.js HTTP/1.1" 304 -
127.0.0.1 - - [26/Jun/2024 12:37:39] "GET /?__debugger__=yes&cmd=resource&f=style.css HTTP/1.1" 304 -
127.0.0.1 - - [26/Jun/2024 12:37:39] "GET /?__debugger__=yes&cmd=resource&f=console.png HTTP/1.1" 304 -
 * To enable the debugger you need to enter the security pin:
 * Debugger pin code: xxx-xxx-xxx
127.0.0.1 - - [26/Jun/2024 12:37:41] "GET /?__debugger__=yes&cmd=printpin&s=3WfWFdnDEWFY1zvWLTW3 HTTP/1.1" 200 -

Do not insert the debugger pin, instead navigate to localhost:5000?test=test (any url parameter will cause this). The debug console will appear, upon clicking the terminal button, to cause the PIN prompt, the prompt will appear; however, the error will appear a second time in the terminal, and no PIN will appear.

127.0.0.1 - - [26/Jun/2024 12:40:42] "GET /?__debugger__=yes&cmd=resource&f=style.css HTTP/1.1" 304 -
127.0.0.1 - - [26/Jun/2024 12:40:42] "GET /?__debugger__=yes&cmd=resource&f=debugger.js HTTP/1.1" 304 -
127.0.0.1 - - [26/Jun/2024 12:40:42] "GET /?__debugger__=yes&cmd=resource&f=console.png HTTP/1.1" 304 -
127.0.0.1 - - [26/Jun/2024 12:40:51] "GET /?test=test?__debugger__=yes&cmd=printpin&s=LjqOQxjdwXsrbGPWHvJB HTTP/1.1" 500 -
Traceback (most recent call last):
...

Naturally, the debugger ping should exist anyway. I think the issue is that ?__debugger__... is inserted instead of &__debugger__... in circumstances where URL parameters are already present. I cannot verify as I'm not certain where this should live. It's possible this is a Werkzeug problem. Feel free to tell me, and I'll reopen over there.

Environment:

fluffy-critter commented 2 months ago

I am running into this with the same situation, trying to debug an application where there's already parameters in the query string.

davidism commented 2 months ago

Happy to review a PR. Presumably it's an issue in the JavaScript where it's constructing the URLs.