Hynek Schlawack1d ago

speaking of Sentry: y'all might want to add a "werkzeug!=3.1.7" pin if you run Werkzeug (maybe via Flask) in a cluster with weird hostnames:

https://github.com/pallets/werkzeug/issues/3141

3.1.7 version introduces a BC break in host validation 路 Issue #3141 路 pallets/werkzeug

A feature to validate host http header no matter what introduces backwards compatibility break. The bug presents itself by regarding the host invalid (false-positive) A host like 069ef83c8f81497b8e...

GitHub
Show threadDavid Lord 
@hynek what I'm not clear on is how Django has been doing this same check for 15 years. People must be deploying Django on AWS.
Mar 25 at 2:32pmWeb
Show threadHynek Schlawack22h ago
@davidism maybe nobody is running Django in production 馃ぁ
Show threadCarlton Gibson22h ago
@hynek @davidism Now now hynek.
Show threadTin Tvrtkovi膰21h ago
@carlton @hynek @davidism 馃嵖馃嵖
Show threadHynek Schlawack21h ago
@davidism btw, I've checked and my problem is actually that my Host header is empty when pinged by Nomad/Consul鈥檚 health checker. If I get to it, I'll comment on the discussion later, but as heads up that this might be rather common.
Show threadGlyph20h ago
@hynek @davidism as I have recently learned we can鈥檛 even sunset TELNET so HTTP/0.9 seems like it鈥檚 here to stay too
Show threadDavid Lord 19h ago
@glyph @hynek Thanks both of you, these two comments helped me figure out what was going on: https://github.com/pallets/werkzeug/issues/3142
`get_host` should allow empty host 路 Issue #3142 路 pallets/werkzeug

#3113 updated get_host to always validate the host characters. However, it also disallowed the empty string. This is a bit too strict, it should only validate the string if it's not empty, or if tr...

GitHub