Flask - “ValueError:在标题值中检测到换行符。这是一个潜在的安全问题”

时间:2015-05-13 05:45:04

标签: python flask

我是python的新手,正在玩烧瓶,并在其中一个udacity课程上建立了一个教学副本,你可以将ASCII艺术上传到一个非常基本的网页。

在玩完之后我注意到我上传的ASCII艺术时出现错误:

ValueError:检测到标题值中的换行符。这是一个潜在的安全问题

我不知道问题是什么,我在下面附上了代码和请求标题:

标题:http://imgur.com/w3oaROB 

from flask import Flask, render_template, redirect, url_for, request, flash, request
from datetime import datetime
import sqlite3
import os
from os.path import expanduser
app = Flask(__name__)


def fetch(name):
    conn = sqlite3.connect('art.db')
    cursor = conn.cursor()
    cursor.execute("SELECT * from {} ORDER BY created DESC".format(name))
    return cursor

def insert(title, art):
    time = datetime.now()
    conn = sqlite3.connect('art.db')
    cursor = conn.cursor()
    cursor.execute("""INSERT INTO art VALUES (?,?,?)""",(title, art,time))
    conn.commit()

def delete(title):
    conn = sqlite3.connect('art.db')
    cursor = conn.cursor()
    cursor.execute("""DELETE FROM art WHERE title = '{}'""".format(title))
    conn.commit()


def render_front(title='', art='', error='', posts=''):
    return render_template('front.html',title=title, art=art, error=error, posts=posts)

def get_posts(table):
    x = fetch(table)
    posts = [i for i in x]
    return posts

@app.route('/post/<title>/<art>', methods=['GET','POST'])
def new_post(title=None,art=None):
    if request.method == 'POST':
        if request.form.getlist('hidden'):
            title = request.form['hidden']
            delete(title)
            posts = get_posts('art')
            return render_front(posts=posts)
        elif request.form.getlist('titles'):
            title = request.form['titles']
            art = request.form['arts']
            if title and art:
                insert(str(title), str(art))
                return redirect('/post/{}/{}'.format(title,art))
            else:
                error = 'ERROR SOMEWHERE'
                return render_front(error=error, art=art, title=title)
    else:
        posts = [[title,art]]
        return render_front(posts=posts)

@app.route('/', methods=['GET','POST'])
def home():
    if request.method == 'POST':
        if request.form.getlist('hidden'):
            title = request.form['hidden']
            delete(title)
            posts = get_posts('art')
            return render_front(posts=posts)
        elif request.form.getlist('titles'):
            title = request.form['titles']
            art = request.form['arts']
            if title and art:
                insert(str(title), str(art))
                return redirect('/post/{}/{}'.format(title,art))
            else:
                error = 'ERROR SOMEWHERE'
                return render_front(error=error, art=art, title=title)
    else:
        posts = get_posts('art')
        return render_front(posts=posts)


if __name__ == '__main__':
    app.debug = True
    app.run()

1 个答案:

答案 0 :(得分:0)

如果标头中的值包含符号换行符\ n或\ r,则将引发ValueError并显示文本错误:“标头值中检测到换行符。这是潜在的安全问题”。如果您使用重定向,并且标头具有目标网址的关键位置,并且目标网址包含换行符\ n或\ r

,则会发生这种情况
相关问题
最新问题