Flask: Python - Headers not decoded properly
Hi,
I try to pass information in headers, such as passwords.
When receiving it in my program, special characters are not properly decoded, such as €£ and french accented chars.
It works fine if they're encoding in regular http args.
Example:
curl -v --header "user_email:[email protected]" --header "user_password:é€" -X GET "http://localhost:5000/api/private/v1.0/auth"
Trying ::1...
connect to ::1 port 5000 failed: Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1) port 5000 (#0)
GET /api/private/v1.0/auth HTTP/1.1
Host: localhost:5000
User-Agent: curl/7.43.0
Accept: /
user_email:[email protected]
user_password:é€`
On the app side:
Headers=Accept: /
Content-Length:
User-Agent: curl/7.43.0
User-Password: é€
Host: localhost:5000
User-Email: [email protected]
Content-Type:
augustinrieunier
All 6 comments
Can you please test with a HTTP client that is not affected by whatever encoding your shell uses?
However, I think headers should be ascii-only: http://stackoverflow.com/questions/4400678/what-character-encoding-should-i-use-for-a-http-header
Sending a password has a header seems to be a bad idea anyway - it'd be better to send a POST request with the username and password in the body (for which you can specify a charset/encoding!) and then return a token that will be used in a header (usually in Authorization) for all other requests.
ThiefMaster
on 25 Jan 2017
And also ensure that you're outputting the values using the correct encoding.
davidism
on 25 Jan 2017
Well @ThiefMaster the Authorization header is a thing, so I think sending passwords as header should be fine... in fact it has to be. :)
untitaker
on 25 Jan 2017
the authorization header is base64-encoded though.. so no raw non-ascii in there
ThiefMaster
on 25 Jan 2017
Oh, yeah.
untitaker
on 25 Jan 2017
Thanks all for jumping here first.
About testing with another tool, it is actually with another tool that we found the problem (a java dev based on the lib Jersey/2.23.2 (HttpUrlConnection 1.8.0_73)) so result will be the same than in my shell.
I think the point about the ASCII limitation seems a good explanation at that stage. I did not think about that.
It works fine if it's base64-ified .
I think we can close this it's not a bug in the end :)
Thanks a lot !
augustinrieunier
on 25 Jan 2017
Related issues
lnielsen
·
3Comments
greyli
·
3Comments
tomjaguarpaw
·
3Comments
davidhariri
·
3Comments
stillesjo
·
4Comments
Most helpful comment
Can you please test with a HTTP client that is not affected by whatever encoding your shell uses?
However, I think headers should be ascii-only: http://stackoverflow.com/questions/4400678/what-character-encoding-should-i-use-for-a-http-header
Sending a password has a header seems to be a bad idea anyway - it'd be better to send a POST request with the username and password in the body (for which you can specify a charset/encoding!) and then return a token that will be used in a header (usually in
Authorization) for all other requests.