werkzeug: regex URL converter matches incorrect value

I have the following code in a Flask App using Werkzeug


# Redirect requests for the older image URLs to new URLs
@app.route(
    '/static/images/2019/<regex("(privacy|jamstack|capabilities)"):folder>/<image>'
)
def redirect_old_hero_images(folder, image):
    return redirect("/static/images/2020/%s/%s" % (folder, image)), 301

prior to 2.2.0 this would allow the following redirect:

/static/images/2019/jamstack/random.png

/static/images/2020/jamstack/random.png

Now however it incorrectly sends us to:

/static/images/2020/jamstack/jamstack

Pinning werkzeug to 2.1.2 fixes the issue.

Environment:

Python version: 3.8
Werkzeug version: 2.2.0 and 2.2.1

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 22 (12 by maintainers)

Commits related to this issue

Minor update to the routing converter docs This should clarify that the regex itself is matched as a group and hence discourage gropuing within. See also #2481. — committed to pgjones/werkzeug by pgjones 2 years ago
dependencies: prohibit werkzeug 2.2.0 and 2.2.1 they broke us due to https://github.com/pallets/werkzeug/issues/2481#issuecomment-1204501285 . 2.2.2 (https://github.com/pallets/werkzeug/pull/2489) fi... — committed to snarfed/flask-gae-static by snarfed 2 years ago

Most upvoted comments

@pgjones this seems like an issue, because I’d expect a custom converter might legitimately want to use a character group []. We should figure out why that doesn’t work now.

davidism on Aug 4, 2022

It looks like that’s the same issue, you have a capturing group in your regex. The regexes for converters are intended to be fairly simple, with further validation done in to_python. Your solution to accept a string and do the check in the view is fine too.

davidism on Aug 3, 2022