Sorry for not having a full test case, but here's the basic overview:
- Create a view that accesses request.params
- Form a URL that uses that view, and which contains some query parameters
that are not legal UTF-8 (eg. a random byte string)
- Try to access that URL on the Pyramid server
The result, for me, is a traceback like this:
Traceback (most recent call last):
File "/usr/lib/python2.7/wsgiref/handlers.py", line 85, in run
self.result = application(self.environ, self.start_response)
File "/usr/local/lib/python2.7/dist-packages/pyramid/router.py", line
187, in __call__
response = self.handle_request(request)
File "/usr/local/lib/python2.7/dist-packages/pyramid/tweens.py", line 20,
in excview_tween
response = handler(request)
File "/usr/local/lib/python2.7/dist-packages/pyramid/router.py", line
164, in handle_request
response = view_callable(context, request)
File "/usr/local/lib/python2.7/dist-packages/pyramid/config/views.py",
line 333, in rendered_view
result = view(context, request)
File "/usr/local/lib/python2.7/dist-packages/pyramid/config/views.py",
line 471, in _requestonly_view
response = view(request)
File "accountserver.py", line 297, in verify_account
if "admin_auth" not in request.params or request.params["admin_auth"]
!= auth_val:
File "/usr/local/lib/python2.7/dist-packages/webob/request.py", line 831,
in params
params = NestedMultiDict(self.GET, self.POST)
File "/usr/local/lib/python2.7/dist-packages/webob/request.py", line 813,
in GET
vars = GetDict(data, env)
File "/usr/local/lib/python2.7/dist-packages/webob/multidict.py", line
273, in __init__
MultiDict.__init__(self, data)
File "/usr/local/lib/python2.7/dist-packages/webob/multidict.py", line
37, in __init__
items = list(args[0])
File "/usr/local/lib/python2.7/dist-packages/webob/compat.py", line 125,
in parse_qsl_text
yield (x.decode(encoding), y.decode(encoding))
File "/usr/lib/python2.7/encodings/utf_8.py", line 16, in decode
return codecs.utf_8_decode(input, errors, True)
UnicodeDecodeError: 'utf8' codec can't decode byte 0xa7 in position 0:
invalid start byte
It looks like maybe this is an error in WebOb rather than Pyramid as such,
but it leaks out into my view functions, and it lets an external user raise
exceptions on the server via malformed URLs, which -feels- like a security
or potential DoS issue, even if the server (in my case, at least) stays up
afterwards.
Can anybody with more understanding of this comment on this issue?
--
Ben Sizer
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/pylons-discuss/-/qc-hV7Mq66oJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
