Files
@ aa51aca7fd1a
Branch filter:
Location: kallithea/scripts/whitespacecleanup.sh - annotation
aa51aca7fd1a
1.1 KiB
text/x-sh
controller: Handle UnicodeDecodeError from webob decoding invalid URLs
webob will try to utf-8 decode all %-encoded bytes in URL-parameters, but will
not handle Unicode erors ... and neither did Kallithea. Visiting a URL like
http://localhost:5000/?%AD would thus give an unhandled exception showing
"Internal Server Error" to the user, and logging the full traceback and:
WebApp Error: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xad in position 0: invalid start byte
This has been seen a lot recently from attackers probing for a php
vulnerability
https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/ .
Now handle these exceptions more nicely and reject with "400 Bad Request".
webob will try to utf-8 decode all %-encoded bytes in URL-parameters, but will
not handle Unicode erors ... and neither did Kallithea. Visiting a URL like
http://localhost:5000/?%AD would thus give an unhandled exception showing
"Internal Server Error" to the user, and logging the full traceback and:
WebApp Error: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xad in position 0: invalid start byte
This has been seen a lot recently from attackers probing for a php
vulnerability
https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/ .
Now handle these exceptions more nicely and reject with "400 Bad Request".
bf85e6018daa fce926a9d7c7 fce926a9d7c7 fce926a9d7c7 0a84ef075575 fce926a9d7c7 6e952212bf06 fce926a9d7c7 fce926a9d7c7 edb24bc0f71a fce926a9d7c7 fce926a9d7c7 fce926a9d7c7 0a84ef075575 0a84ef075575 fce926a9d7c7 0a84ef075575 0a84ef075575 fce926a9d7c7 5698307382de 0a84ef075575 5698307382de 8d663d23ab85 fce926a9d7c7 | #!/bin/bash -xe
# Enforce some consistency in whitespace - just to avoid spurious whitespaces changes
files=`hg files | egrep -v '/fontello/|/templates/email/|(^LICENSE-MERGELY.html|^docs/Makefile|^scripts/whitespacecleanup.sh|/(graph|mergely|native.history)\.js|/test_dump_html_mails.ref.html|\.png|\.gif|\.ico|\.pot|\.po|\.mo|\.tar\.gz|\.diff)$'`
sed -i "s/`printf '\r'`//g" $files
sed -i -e "s,`printf '\t'`, ,g" $files
sed -i -e "s, *$,,g" $files
sed -i -e 's,\([^ ]\)\\$,\1 \\,g' -e 's,\(["'"'"']["'"'"']["'"'"']\) \\$,\1\\,g' $files
# ensure one trailing newline - remove empty last line and make last line include trailing newline:
sed -i -e '$,${/^$/d}' -e '$a\' $files
sed -i -e 's,\([^ /]\){,\1 {,g' `hg files 'set:**.css'`
sed -i -e 's|^\([^ /].*,\)\([^ ]\)|\1 \2|g' `hg files 'set:**.css'`
hg files | xargs chmod -x
hg files 'set:!binary()&grep("^#!")&!(**_tmpl.py)&!(**/template**)' | xargs chmod +x
# isort is installed from dev_requirements.txt
hg files 'set:!binary()&grep("^#!.*python")' 'set:**.py' | xargs isort --line-width 160 --lines-after-imports 2
echo "diff after $0:"
hg diff
|