Hi
Thanks for the report and the patch.
We could also catch this exception in the big try-except clause in
__call__, and we could catch the more generic UnicodeError. But that
would perhaps catch too much - also things that really are programming
errors and shouldn't give a 400 reply.
I think I would prefer to just catch this Unicode error if it happens,
rather than trying to trigger it early. Perhaps by wrapping the call of
_basic_security_checks. Do you think that would catch too much or too
little?
/Mads
On 26/08/2024 17:06, Valentin Kleibel wrote:
Hi,
we have recently noticed a lot of errors in Kallithea from probing for
a php vulnerability [1] looking like:
"WebApp Error: UnicodeDecodeError: 'utf-8' codec can't decode byte
0xad in position 0: invalid start byte"
This can be reproduced with curl:
curl https://example.com/?%AD
The error stems from webob naively trying to utf-8 decode all
%-encoded bytes in URL-parameters.
In my opinion this exception should be handled and a error 400 should
be returned.
Attached you can find a small patch i created to check for this in
kallithea/controllers/base.py:_basic_security_checks().
Best Regards,
Valentin
[1]
https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
_______________________________________________
kallithea-general mailing list
[email protected]
https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
_______________________________________________
kallithea-general mailing list
[email protected]
https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
