Hi,
we have recently noticed a lot of errors in Kallithea from probing for a
php vulnerability [1] looking like:
"WebApp Error: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xad
in position 0: invalid start byte"
This can be reproduced with curl:
curl https://example.com/?%AD
The error stems from webob naively trying to utf-8 decode all %-encoded
bytes in URL-parameters.
In my opinion this exception should be handled and a error 400 should be
returned.
Attached you can find a small patch i created to check for this in
kallithea/controllers/base.py:_basic_security_checks().
Best Regards,
Valentin
[1]
https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/--- kallithea/controllers/base.py 2024-08-26 15:52:23.110483520 +0200
+++ kallithea/controllers/base.py 2024-08-26 16:10:46.701889438 +0200
@@ -452,6 +452,15 @@
def _basic_security_checks():
"""Perform basic security/sanity checks before processing the request."""
+ # invalid URLencoded byte sequences will raise a UnicodeDecodeError
+ # webobj doesn't catch this so we access the parameters catch
+ try:
+ request.GET
+ request.POST
+ except UnicodeDecodeError as e:
+ log.error('Error decoding URL encoded string: %s' % e)
+ raise webob.exc.HTTPBadRequest()
+
# Only allow the following HTTP request methods.
if request.method not in ['GET', 'HEAD', 'POST']:
raise webob.exc.HTTPMethodNotAllowed()
_______________________________________________
kallithea-general mailing list
[email protected]
https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
