From 87e4c476216ab25206b4e583b4206e762c3b9fe0 Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Sat, 3 Apr 2021 13:56:47 +0200 Subject: [PATCH] [fix] url_for(..., _external=True) in templates The `url_for` function in the template context is not the one from Flask, it is the one from `webapp`. The `webapp.url_for_theme` is different from its namesake of Flask and has it quirks, when called with argument `_external=True`. The `webapp.url_for_theme` can't handle absolute URLs since it pokes a leading '/', here is the snippet of the old code:: url = url_for(endpoint, **values) if settings['server']['base_url']: if url.startswith('/'): url = url[1:] url = urljoin(settings['server']['base_url'], url) Next drawback of (Flask's) `_external=True` is, that it will not return the HTTP scheme when searx (the Flask app) listens on http and is proxied by a https server. To get the right scheme `HTTP_X_SCHEME` is needed by Flask (werkzeug). Since this is not provided in every environment (e.g. behind Apache mod_wsgi or the HTTP header is not fully set for some other reasons) it is recommended to get *script_name*, *server* and *scheme* from the configured `base_url`. If `base_url` is specified, then these values from are given preference over any Flask's generics. BTW this patch normalize to use `url_for` in the `opensearch.xml` and drop the need of `host` and `urljoin` in template's context. Signed-off-by: Markus Heiser --- searx/templates/__common__/opensearch.xml | 4 +- searx/webapp.py | 52 +++++++++++++---------- 2 files changed, 32 insertions(+), 24 deletions(-) diff --git a/searx/templates/__common__/opensearch.xml b/searx/templates/__common__/opensearch.xml index 2476258c..230f327a 100644 --- a/searx/templates/__common__/opensearch.xml +++ b/searx/templates/__common__/opensearch.xml @@ -3,7 +3,7 @@ {{ instance_name }} a privacy-respecting, hackable metasearch engine UTF-8 - {{ urljoin(host, url_for('static', filename='img/favicon.png')) }} + {{ url_for('static', filename='img/favicon.png', _external=True) }} searx metasearch {% if opensearch_method == 'get' %} @@ -13,7 +13,7 @@ {% endif %} {% if autocomplete %} - + {% endif %} = 0: method = 'get' - ret = render('opensearch.xml', - opensearch_method=method, - host=get_base_url(), - urljoin=urljoin, - override_theme='__common__') + ret = render( + 'opensearch.xml', + opensearch_method=method, + override_theme='__common__' + ) resp = Response(response=ret, status=200, @@ -1027,7 +1016,7 @@ def favicon(): @app.route('/clear_cookies') def clear_cookies(): - resp = make_response(redirect(urljoin(settings['server']['base_url'], url_for('index')))) + resp = make_response(redirect(url_for('index', _external=True))) for cookie_name in request.cookies: resp.delete_cookie(cookie_name) return resp @@ -1128,19 +1117,38 @@ class ReverseProxyPathFix: ''' def __init__(self, app): + self.app = app + self.script_name = None + self.scheme = None + self.server = None + + if settings['server']['base_url']: + + # If base_url is specified, then these values from are given + # preference over any Flask's generics. + + base_url = urlparse(settings['server']['base_url']) + self.script_name = base_url.path + self.scheme = base_url.scheme + self.server = base_url.netloc def __call__(self, environ, start_response): - script_name = environ.get('HTTP_X_SCRIPT_NAME', '') + + script_name = self.script_name or environ.get('HTTP_X_SCRIPT_NAME', '') if script_name: environ['SCRIPT_NAME'] = script_name path_info = environ['PATH_INFO'] if path_info.startswith(script_name): environ['PATH_INFO'] = path_info[len(script_name):] - scheme = environ.get('HTTP_X_SCHEME', '') + scheme = self.scheme or environ.get('HTTP_X_SCHEME', '') if scheme: environ['wsgi.url_scheme'] = scheme + + server = self.server or environ.get('HTTP_X_FORWARDED_HOST', '') + if server: + environ['HTTP_HOST'] = server return self.app(environ, start_response)