kallithea Changeset - aa51aca7fd1a

Changeset - aa51aca7fd1a

Parent rev.

Child rev.

[Not reviewed]

stable

0 3 0

Valentin Kleibel - 19 months ago 2024-08-26 21:13:06
valentin@vrvis.at

Grafted from: 8daf3500d52f

controller: Handle UnicodeDecodeError from webob decoding invalid URLs

webob will try to utf-8 decode all %-encoded bytes in URL-parameters, but will
not handle Unicode erors ... and neither did Kallithea. Visiting a URL like
http://localhost:5000/?%AD would thus give an unhandled exception showing
"Internal Server Error" to the user, and logging the full traceback and:

WebApp Error: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xad in position 0: invalid start byte

This has been seen a lot recently from attackers probing for a php
vulnerability
https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/ .

Now handle these exceptions more nicely and reject with "400 Bad Request".

3 files changed with 11 insertions and 1 deletions:

CONTRIBUTORS

kallithea/controllers/base.py

kallithea/templates/about.html

0 comments (0 inline, 0 general)

CONTRIBUTORS

➞

Show inline comments

@@ @@ -3,6 +3,7 @@ List of contributors to Kallithea projec @@
     Mads Kiilerich <mads@kiilerich.com> 2016-2024
     Aristotelis Stageiritis <aristotelis79@gmail.com> 2024
     Poesty Li <poesty7450@gmail.com> 2024
     Valentin Kleibel <valentin@vrvis.at> 2024
     Manuel Jacob <me@manueljacob.de> 2019-2020 2022-2023
     Mathias De Mare <mathias.de_mare@nokia.com> 2023
     qy117121 <mixuan121@gmail.com> 2023

kallithea/controllers/base.py

➞

Show inline comments

@@ @@ -456,8 +456,16 @@ class BaseController(TGController): @@
         if request.method not in ['GET', 'HEAD', 'POST']:
             raise webob.exc.HTTPMethodNotAllowed()
         try:
             params = request.params
         except UnicodeDecodeError as e:
             # webobj will leak UnicodeDecodeError when decoding invalid
             # URLencoded byte sequences in parameters
             log.error('Error decoding request parameters: %s' % e)
             raise webob.exc.HTTPBadRequest()
         # Also verify the _method override - no longer allowed.
-        if request.params.get('_method') is None:
         if params.get('_method') is None:
             pass # no override, no problem
         else:
             raise webob.exc.HTTPMethodNotAllowed()

kallithea/templates/about.html

➞

Show inline comments

@@ @@ -27,6 +27,7 @@ @@
   <li>Copyright &copy; 2012&ndash;2024, Mads Kiilerich</li>
   <li>Copyright &copy; 2024, Aristotelis Stageiritis</li>
   <li>Copyright &copy; 2024, Poesty Li</li>
   <li>Copyright &copy; 2024, Valentin Kleibel</li>
   <li>Copyright &copy; 2019&ndash;2020, 2022&ndash;2023, Manuel Jacob</li>
   <li>Copyright &copy; 2023, Mathias De Mare</li>
   <li>Copyright &copy; 2023, qy117121</li>

0 comments (0 inline, 0 general)