werkzeug icon indicating copy to clipboard operation
werkzeug copied to clipboard

Published 20 hours ago verified publisher icon pallets

Built-in debugger malfunctions when url parameters are present

Open 0xC4DE opened this issue 8 months ago • 0 comments

When using flask, with debug enabled, and attempting to debug a page with any URL parameter present, the debugger will malfunction and throw the error: "Error: Could not verify PIN. Network error?" it also does not print the debugger pin into the console, unless upon startup

To replicate this, make a simple Flask test app that throws an error like so:

from flask import Flask

app = Flask(__name__)
@app.route("/")
def hello_world():
    raise
    return "<p>Hello, World!</p>"

if __name__ == "__main__":

Now, navigate to localhost:5000. After which the debug terminal will appear and work as intended. This is what appears in the console:

27.0.0.1 - - [26/Jun/2024 12:37:39] "GET /?__debugger__=yes&cmd=resource&f=debugger.js HTTP/1.1" 304 -
127.0.0.1 - - [26/Jun/2024 12:37:39] "GET /?__debugger__=yes&cmd=resource&f=style.css HTTP/1.1" 304 -
127.0.0.1 - - [26/Jun/2024 12:37:39] "GET /?__debugger__=yes&cmd=resource&f=console.png HTTP/1.1" 304 -
 * To enable the debugger you need to enter the security pin:
 * Debugger pin code: xxx-xxx-xxx
127.0.0.1 - - [26/Jun/2024 12:37:41] "GET /?__debugger__=yes&cmd=printpin&s=3WfWFdnDEWFY1zvWLTW3 HTTP/1.1" 200 -

Do not insert the debugger pin, instead navigate to localhost:5000?test=test (any url parameter will cause this). The debug console will appear, upon clicking the terminal button, to cause the PIN prompt, the prompt will appear; however, the error will appear a second time in the terminal, and no PIN will appear.

127.0.0.1 - - [26/Jun/2024 12:40:42] "GET /?__debugger__=yes&cmd=resource&f=style.css HTTP/1.1" 304 -
127.0.0.1 - - [26/Jun/2024 12:40:42] "GET /?__debugger__=yes&cmd=resource&f=debugger.js HTTP/1.1" 304 -
127.0.0.1 - - [26/Jun/2024 12:40:42] "GET /?__debugger__=yes&cmd=resource&f=console.png HTTP/1.1" 304 -
127.0.0.1 - - [26/Jun/2024 12:40:51] "GET /?test=test?__debugger__=yes&cmd=printpin&s=LjqOQxjdwXsrbGPWHvJB HTTP/1.1" 500 -
Traceback (most recent call last):
...

Naturally, the debugger ping should exist anyway. I think the issue is that ?__debugger__... is inserted instead of &__debugger__... in circumstances where URL parameters are already present. I cannot verify as I'm not certain where this should live. It's possible this is a Werkzeug problem. Feel free to tell me, and I'll reopen over there.

Environment:

  • Python version: 3.11
  • Flask version: 3.0.3 FWIW this still happened in 2.3.3

0xC4DE avatar Jun 26 '24 17:06 0xC4DE