request.py 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614
  1. import functools
  2. import json
  3. import typing
  4. import typing as t
  5. from io import BytesIO
  6. from .._internal import _wsgi_decoding_dance
  7. from ..datastructures import CombinedMultiDict
  8. from ..datastructures import EnvironHeaders
  9. from ..datastructures import FileStorage
  10. from ..datastructures import ImmutableMultiDict
  11. from ..datastructures import iter_multi_items
  12. from ..datastructures import MultiDict
  13. from ..formparser import default_stream_factory
  14. from ..formparser import FormDataParser
  15. from ..sansio.request import Request as _SansIORequest
  16. from ..utils import cached_property
  17. from ..utils import environ_property
  18. from ..wsgi import _get_server
  19. from ..wsgi import get_input_stream
  20. from werkzeug.exceptions import BadRequest
  21. if t.TYPE_CHECKING:
  22. import typing_extensions as te
  23. from _typeshed.wsgi import WSGIApplication
  24. from _typeshed.wsgi import WSGIEnvironment
  25. class Request(_SansIORequest):
  26. """Represents an incoming WSGI HTTP request, with headers and body
  27. taken from the WSGI environment. Has properties and methods for
  28. using the functionality defined by various HTTP specs. The data in
  29. requests object is read-only.
  30. Text data is assumed to use UTF-8 encoding, which should be true for
  31. the vast majority of modern clients. Using an encoding set by the
  32. client is unsafe in Python due to extra encodings it provides, such
  33. as ``zip``. To change the assumed encoding, subclass and replace
  34. :attr:`charset`.
  35. :param environ: The WSGI environ is generated by the WSGI server and
  36. contains information about the server configuration and client
  37. request.
  38. :param populate_request: Add this request object to the WSGI environ
  39. as ``environ['werkzeug.request']``. Can be useful when
  40. debugging.
  41. :param shallow: Makes reading from :attr:`stream` (and any method
  42. that would read from it) raise a :exc:`RuntimeError`. Useful to
  43. prevent consuming the form data in middleware, which would make
  44. it unavailable to the final application.
  45. .. versionchanged:: 2.1
  46. Remove the ``disable_data_descriptor`` attribute.
  47. .. versionchanged:: 2.0
  48. Combine ``BaseRequest`` and mixins into a single ``Request``
  49. class. Using the old classes is deprecated and will be removed
  50. in Werkzeug 2.1.
  51. .. versionchanged:: 0.5
  52. Read-only mode is enforced with immutable classes for all data.
  53. """
  54. #: the maximum content length. This is forwarded to the form data
  55. #: parsing function (:func:`parse_form_data`). When set and the
  56. #: :attr:`form` or :attr:`files` attribute is accessed and the
  57. #: parsing fails because more than the specified value is transmitted
  58. #: a :exc:`~werkzeug.exceptions.RequestEntityTooLarge` exception is raised.
  59. #:
  60. #: Have a look at :doc:`/request_data` for more details.
  61. #:
  62. #: .. versionadded:: 0.5
  63. max_content_length: t.Optional[int] = None
  64. #: the maximum form field size. This is forwarded to the form data
  65. #: parsing function (:func:`parse_form_data`). When set and the
  66. #: :attr:`form` or :attr:`files` attribute is accessed and the
  67. #: data in memory for post data is longer than the specified value a
  68. #: :exc:`~werkzeug.exceptions.RequestEntityTooLarge` exception is raised.
  69. #:
  70. #: Have a look at :doc:`/request_data` for more details.
  71. #:
  72. #: .. versionadded:: 0.5
  73. max_form_memory_size: t.Optional[int] = None
  74. #: The form data parser that should be used. Can be replaced to customize
  75. #: the form date parsing.
  76. form_data_parser_class: t.Type[FormDataParser] = FormDataParser
  77. #: The WSGI environment containing HTTP headers and information from
  78. #: the WSGI server.
  79. environ: "WSGIEnvironment"
  80. #: Set when creating the request object. If ``True``, reading from
  81. #: the request body will cause a ``RuntimeException``. Useful to
  82. #: prevent modifying the stream from middleware.
  83. shallow: bool
  84. def __init__(
  85. self,
  86. environ: "WSGIEnvironment",
  87. populate_request: bool = True,
  88. shallow: bool = False,
  89. ) -> None:
  90. super().__init__(
  91. method=environ.get("REQUEST_METHOD", "GET"),
  92. scheme=environ.get("wsgi.url_scheme", "http"),
  93. server=_get_server(environ),
  94. root_path=_wsgi_decoding_dance(
  95. environ.get("SCRIPT_NAME") or "", self.charset, self.encoding_errors
  96. ),
  97. path=_wsgi_decoding_dance(
  98. environ.get("PATH_INFO") or "", self.charset, self.encoding_errors
  99. ),
  100. query_string=environ.get("QUERY_STRING", "").encode("latin1"),
  101. headers=EnvironHeaders(environ),
  102. remote_addr=environ.get("REMOTE_ADDR"),
  103. )
  104. self.environ = environ
  105. self.shallow = shallow
  106. if populate_request and not shallow:
  107. self.environ["werkzeug.request"] = self
  108. @classmethod
  109. def from_values(cls, *args: t.Any, **kwargs: t.Any) -> "Request":
  110. """Create a new request object based on the values provided. If
  111. environ is given missing values are filled from there. This method is
  112. useful for small scripts when you need to simulate a request from an URL.
  113. Do not use this method for unittesting, there is a full featured client
  114. object (:class:`Client`) that allows to create multipart requests,
  115. support for cookies etc.
  116. This accepts the same options as the
  117. :class:`~werkzeug.test.EnvironBuilder`.
  118. .. versionchanged:: 0.5
  119. This method now accepts the same arguments as
  120. :class:`~werkzeug.test.EnvironBuilder`. Because of this the
  121. `environ` parameter is now called `environ_overrides`.
  122. :return: request object
  123. """
  124. from ..test import EnvironBuilder
  125. charset = kwargs.pop("charset", cls.charset)
  126. kwargs["charset"] = charset
  127. builder = EnvironBuilder(*args, **kwargs)
  128. try:
  129. return builder.get_request(cls)
  130. finally:
  131. builder.close()
  132. @classmethod
  133. def application(
  134. cls, f: t.Callable[["Request"], "WSGIApplication"]
  135. ) -> "WSGIApplication":
  136. """Decorate a function as responder that accepts the request as
  137. the last argument. This works like the :func:`responder`
  138. decorator but the function is passed the request object as the
  139. last argument and the request object will be closed
  140. automatically::
  141. @Request.application
  142. def my_wsgi_app(request):
  143. return Response('Hello World!')
  144. As of Werkzeug 0.14 HTTP exceptions are automatically caught and
  145. converted to responses instead of failing.
  146. :param f: the WSGI callable to decorate
  147. :return: a new WSGI callable
  148. """
  149. #: return a callable that wraps the -2nd argument with the request
  150. #: and calls the function with all the arguments up to that one and
  151. #: the request. The return value is then called with the latest
  152. #: two arguments. This makes it possible to use this decorator for
  153. #: both standalone WSGI functions as well as bound methods and
  154. #: partially applied functions.
  155. from ..exceptions import HTTPException
  156. @functools.wraps(f)
  157. def application(*args): # type: ignore
  158. request = cls(args[-2])
  159. with request:
  160. try:
  161. resp = f(*args[:-2] + (request,))
  162. except HTTPException as e:
  163. resp = e.get_response(args[-2])
  164. return resp(*args[-2:])
  165. return t.cast("WSGIApplication", application)
  166. def _get_file_stream(
  167. self,
  168. total_content_length: t.Optional[int],
  169. content_type: t.Optional[str],
  170. filename: t.Optional[str] = None,
  171. content_length: t.Optional[int] = None,
  172. ) -> t.IO[bytes]:
  173. """Called to get a stream for the file upload.
  174. This must provide a file-like class with `read()`, `readline()`
  175. and `seek()` methods that is both writeable and readable.
  176. The default implementation returns a temporary file if the total
  177. content length is higher than 500KB. Because many browsers do not
  178. provide a content length for the files only the total content
  179. length matters.
  180. :param total_content_length: the total content length of all the
  181. data in the request combined. This value
  182. is guaranteed to be there.
  183. :param content_type: the mimetype of the uploaded file.
  184. :param filename: the filename of the uploaded file. May be `None`.
  185. :param content_length: the length of this file. This value is usually
  186. not provided because webbrowsers do not provide
  187. this value.
  188. """
  189. return default_stream_factory(
  190. total_content_length=total_content_length,
  191. filename=filename,
  192. content_type=content_type,
  193. content_length=content_length,
  194. )
  195. @property
  196. def want_form_data_parsed(self) -> bool:
  197. """``True`` if the request method carries content. By default
  198. this is true if a ``Content-Type`` is sent.
  199. .. versionadded:: 0.8
  200. """
  201. return bool(self.environ.get("CONTENT_TYPE"))
  202. def make_form_data_parser(self) -> FormDataParser:
  203. """Creates the form data parser. Instantiates the
  204. :attr:`form_data_parser_class` with some parameters.
  205. .. versionadded:: 0.8
  206. """
  207. return self.form_data_parser_class(
  208. self._get_file_stream,
  209. self.charset,
  210. self.encoding_errors,
  211. self.max_form_memory_size,
  212. self.max_content_length,
  213. self.parameter_storage_class,
  214. )
  215. def _load_form_data(self) -> None:
  216. """Method used internally to retrieve submitted data. After calling
  217. this sets `form` and `files` on the request object to multi dicts
  218. filled with the incoming form data. As a matter of fact the input
  219. stream will be empty afterwards. You can also call this method to
  220. force the parsing of the form data.
  221. .. versionadded:: 0.8
  222. """
  223. # abort early if we have already consumed the stream
  224. if "form" in self.__dict__:
  225. return
  226. if self.want_form_data_parsed:
  227. parser = self.make_form_data_parser()
  228. data = parser.parse(
  229. self._get_stream_for_parsing(),
  230. self.mimetype,
  231. self.content_length,
  232. self.mimetype_params,
  233. )
  234. else:
  235. data = (
  236. self.stream,
  237. self.parameter_storage_class(),
  238. self.parameter_storage_class(),
  239. )
  240. # inject the values into the instance dict so that we bypass
  241. # our cached_property non-data descriptor.
  242. d = self.__dict__
  243. d["stream"], d["form"], d["files"] = data
  244. def _get_stream_for_parsing(self) -> t.IO[bytes]:
  245. """This is the same as accessing :attr:`stream` with the difference
  246. that if it finds cached data from calling :meth:`get_data` first it
  247. will create a new stream out of the cached data.
  248. .. versionadded:: 0.9.3
  249. """
  250. cached_data = getattr(self, "_cached_data", None)
  251. if cached_data is not None:
  252. return BytesIO(cached_data)
  253. return self.stream
  254. def close(self) -> None:
  255. """Closes associated resources of this request object. This
  256. closes all file handles explicitly. You can also use the request
  257. object in a with statement which will automatically close it.
  258. .. versionadded:: 0.9
  259. """
  260. files = self.__dict__.get("files")
  261. for _key, value in iter_multi_items(files or ()):
  262. value.close()
  263. def __enter__(self) -> "Request":
  264. return self
  265. def __exit__(self, exc_type, exc_value, tb) -> None: # type: ignore
  266. self.close()
  267. @cached_property
  268. def stream(self) -> t.IO[bytes]:
  269. """
  270. If the incoming form data was not encoded with a known mimetype
  271. the data is stored unmodified in this stream for consumption. Most
  272. of the time it is a better idea to use :attr:`data` which will give
  273. you that data as a string. The stream only returns the data once.
  274. Unlike :attr:`input_stream` this stream is properly guarded that you
  275. can't accidentally read past the length of the input. Werkzeug will
  276. internally always refer to this stream to read data which makes it
  277. possible to wrap this object with a stream that does filtering.
  278. .. versionchanged:: 0.9
  279. This stream is now always available but might be consumed by the
  280. form parser later on. Previously the stream was only set if no
  281. parsing happened.
  282. """
  283. if self.shallow:
  284. raise RuntimeError(
  285. "This request was created with 'shallow=True', reading"
  286. " from the input stream is disabled."
  287. )
  288. return get_input_stream(self.environ)
  289. input_stream = environ_property[t.IO[bytes]](
  290. "wsgi.input",
  291. doc="""The WSGI input stream.
  292. In general it's a bad idea to use this one because you can
  293. easily read past the boundary. Use the :attr:`stream`
  294. instead.""",
  295. )
  296. @cached_property
  297. def data(self) -> bytes:
  298. """
  299. Contains the incoming request data as string in case it came with
  300. a mimetype Werkzeug does not handle.
  301. """
  302. return self.get_data(parse_form_data=True)
  303. @typing.overload
  304. def get_data( # type: ignore
  305. self,
  306. cache: bool = True,
  307. as_text: "te.Literal[False]" = False,
  308. parse_form_data: bool = False,
  309. ) -> bytes:
  310. ...
  311. @typing.overload
  312. def get_data(
  313. self,
  314. cache: bool = True,
  315. as_text: "te.Literal[True]" = ...,
  316. parse_form_data: bool = False,
  317. ) -> str:
  318. ...
  319. def get_data(
  320. self, cache: bool = True, as_text: bool = False, parse_form_data: bool = False
  321. ) -> t.Union[bytes, str]:
  322. """This reads the buffered incoming data from the client into one
  323. bytes object. By default this is cached but that behavior can be
  324. changed by setting `cache` to `False`.
  325. Usually it's a bad idea to call this method without checking the
  326. content length first as a client could send dozens of megabytes or more
  327. to cause memory problems on the server.
  328. Note that if the form data was already parsed this method will not
  329. return anything as form data parsing does not cache the data like
  330. this method does. To implicitly invoke form data parsing function
  331. set `parse_form_data` to `True`. When this is done the return value
  332. of this method will be an empty string if the form parser handles
  333. the data. This generally is not necessary as if the whole data is
  334. cached (which is the default) the form parser will used the cached
  335. data to parse the form data. Please be generally aware of checking
  336. the content length first in any case before calling this method
  337. to avoid exhausting server memory.
  338. If `as_text` is set to `True` the return value will be a decoded
  339. string.
  340. .. versionadded:: 0.9
  341. """
  342. rv = getattr(self, "_cached_data", None)
  343. if rv is None:
  344. if parse_form_data:
  345. self._load_form_data()
  346. rv = self.stream.read()
  347. if cache:
  348. self._cached_data = rv
  349. if as_text:
  350. rv = rv.decode(self.charset, self.encoding_errors)
  351. return rv
  352. @cached_property
  353. def form(self) -> "ImmutableMultiDict[str, str]":
  354. """The form parameters. By default an
  355. :class:`~werkzeug.datastructures.ImmutableMultiDict`
  356. is returned from this function. This can be changed by setting
  357. :attr:`parameter_storage_class` to a different type. This might
  358. be necessary if the order of the form data is important.
  359. Please keep in mind that file uploads will not end up here, but instead
  360. in the :attr:`files` attribute.
  361. .. versionchanged:: 0.9
  362. Previous to Werkzeug 0.9 this would only contain form data for POST
  363. and PUT requests.
  364. """
  365. self._load_form_data()
  366. return self.form
  367. @cached_property
  368. def values(self) -> "CombinedMultiDict[str, str]":
  369. """A :class:`werkzeug.datastructures.CombinedMultiDict` that
  370. combines :attr:`args` and :attr:`form`.
  371. For GET requests, only ``args`` are present, not ``form``.
  372. .. versionchanged:: 2.0
  373. For GET requests, only ``args`` are present, not ``form``.
  374. """
  375. sources = [self.args]
  376. if self.method != "GET":
  377. # GET requests can have a body, and some caching proxies
  378. # might not treat that differently than a normal GET
  379. # request, allowing form data to "invisibly" affect the
  380. # cache without indication in the query string / URL.
  381. sources.append(self.form)
  382. args = []
  383. for d in sources:
  384. if not isinstance(d, MultiDict):
  385. d = MultiDict(d)
  386. args.append(d)
  387. return CombinedMultiDict(args)
  388. @cached_property
  389. def files(self) -> "ImmutableMultiDict[str, FileStorage]":
  390. """:class:`~werkzeug.datastructures.MultiDict` object containing
  391. all uploaded files. Each key in :attr:`files` is the name from the
  392. ``<input type="file" name="">``. Each value in :attr:`files` is a
  393. Werkzeug :class:`~werkzeug.datastructures.FileStorage` object.
  394. It basically behaves like a standard file object you know from Python,
  395. with the difference that it also has a
  396. :meth:`~werkzeug.datastructures.FileStorage.save` function that can
  397. store the file on the filesystem.
  398. Note that :attr:`files` will only contain data if the request method was
  399. POST, PUT or PATCH and the ``<form>`` that posted to the request had
  400. ``enctype="multipart/form-data"``. It will be empty otherwise.
  401. See the :class:`~werkzeug.datastructures.MultiDict` /
  402. :class:`~werkzeug.datastructures.FileStorage` documentation for
  403. more details about the used data structure.
  404. """
  405. self._load_form_data()
  406. return self.files
  407. @property
  408. def script_root(self) -> str:
  409. """Alias for :attr:`self.root_path`. ``environ["SCRIPT_ROOT"]``
  410. without a trailing slash.
  411. """
  412. return self.root_path
  413. @cached_property
  414. def url_root(self) -> str:
  415. """Alias for :attr:`root_url`. The URL with scheme, host, and
  416. root path. For example, ``https://example.com/app/``.
  417. """
  418. return self.root_url
  419. remote_user = environ_property[str](
  420. "REMOTE_USER",
  421. doc="""If the server supports user authentication, and the
  422. script is protected, this attribute contains the username the
  423. user has authenticated as.""",
  424. )
  425. is_multithread = environ_property[bool](
  426. "wsgi.multithread",
  427. doc="""boolean that is `True` if the application is served by a
  428. multithreaded WSGI server.""",
  429. )
  430. is_multiprocess = environ_property[bool](
  431. "wsgi.multiprocess",
  432. doc="""boolean that is `True` if the application is served by a
  433. WSGI server that spawns multiple processes.""",
  434. )
  435. is_run_once = environ_property[bool](
  436. "wsgi.run_once",
  437. doc="""boolean that is `True` if the application will be
  438. executed only once in a process lifetime. This is the case for
  439. CGI for example, but it's not guaranteed that the execution only
  440. happens one time.""",
  441. )
  442. # JSON
  443. #: A module or other object that has ``dumps`` and ``loads``
  444. #: functions that match the API of the built-in :mod:`json` module.
  445. json_module = json
  446. @property
  447. def json(self) -> t.Optional[t.Any]:
  448. """The parsed JSON data if :attr:`mimetype` indicates JSON
  449. (:mimetype:`application/json`, see :attr:`is_json`).
  450. Calls :meth:`get_json` with default arguments.
  451. If the request content type is not ``application/json``, this
  452. will raise a 400 Bad Request error.
  453. .. versionchanged:: 2.1
  454. Raise a 400 error if the content type is incorrect.
  455. """
  456. return self.get_json()
  457. # Cached values for ``(silent=False, silent=True)``. Initialized
  458. # with sentinel values.
  459. _cached_json: t.Tuple[t.Any, t.Any] = (Ellipsis, Ellipsis)
  460. def get_json(
  461. self, force: bool = False, silent: bool = False, cache: bool = True
  462. ) -> t.Optional[t.Any]:
  463. """Parse :attr:`data` as JSON.
  464. If the mimetype does not indicate JSON
  465. (:mimetype:`application/json`, see :attr:`is_json`), or parsing
  466. fails, :meth:`on_json_loading_failed` is called and
  467. its return value is used as the return value. By default this
  468. raises a 400 Bad Request error.
  469. :param force: Ignore the mimetype and always try to parse JSON.
  470. :param silent: Silence mimetype and parsing errors, and
  471. return ``None`` instead.
  472. :param cache: Store the parsed JSON to return for subsequent
  473. calls.
  474. .. versionchanged:: 2.1
  475. Raise a 400 error if the content type is incorrect.
  476. """
  477. if cache and self._cached_json[silent] is not Ellipsis:
  478. return self._cached_json[silent]
  479. if not (force or self.is_json):
  480. if not silent:
  481. return self.on_json_loading_failed(None)
  482. else:
  483. return None
  484. data = self.get_data(cache=cache)
  485. try:
  486. rv = self.json_module.loads(data)
  487. except ValueError as e:
  488. if silent:
  489. rv = None
  490. if cache:
  491. normal_rv, _ = self._cached_json
  492. self._cached_json = (normal_rv, rv)
  493. else:
  494. rv = self.on_json_loading_failed(e)
  495. if cache:
  496. _, silent_rv = self._cached_json
  497. self._cached_json = (rv, silent_rv)
  498. else:
  499. if cache:
  500. self._cached_json = (rv, rv)
  501. return rv
  502. def on_json_loading_failed(self, e: t.Optional[ValueError]) -> t.Any:
  503. """Called if :meth:`get_json` fails and isn't silenced.
  504. If this method returns a value, it is used as the return value
  505. for :meth:`get_json`. The default implementation raises
  506. :exc:`~werkzeug.exceptions.BadRequest`.
  507. :param e: If parsing failed, this is the exception. It will be
  508. ``None`` if the content type wasn't ``application/json``.
  509. """
  510. if e is not None:
  511. raise BadRequest(f"Failed to decode JSON object: {e}")
  512. raise BadRequest(
  513. "Did not attempt to load JSON data because the request"
  514. " Content-Type was not 'application/json'."
  515. )