Re: Kallithea crashes when "IP address" headers have hostnames
On 4/17/21 4:03 PM, Mads Kiilerich wrote: But I'm surprised your webserver (waitress?) according to the environment dump apparently didn't set REMOTE_ADDR from the actual TCP connection in the environment. It did, I manually took that out of the report (along with similar variables) to keep some of our server configuration details private. Sorry I didn't make that clearer. But it's a totally normal boring localhost address. :) -- Brett Smith ___ kallithea-general mailing list kallithea-general@sfconservancy.org https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
Re: Kallithea crashes when "IP address" headers have hostnames
On 4/13/21 4:29 PM, Brett Smith wrote:
Hi Kallithea team,
I got this crash report I thought I should pass on. The short version:
some IP address/Internet mapping service visited us, and provided a
full DNS hostname in the various IP address headers. The code crashes
because it assumes any string in these headers /must/ be an IP
address, without checking.
I'm personally not particularly worried about this bug, since this
obviously isn't a "real" visitor and I'm sure Kallithea isn't the only
software out there making this assumption. But I also know how
sometimes one bug can lead to another, so I wanted to let you know at
least. 23.253.224.235 is the IPv4 address of our Kallithea server, so
the way it appears in the header values here is part of how this
mapping project works. Let me know if there's any other information I
can provide that's helpful.
Thanks for the report. We will improve the handling of invalid client
addresses.
But I'm surprised your webserver (waitress?) according to the
environment dump apparently didn't set REMOTE_ADDR from the actual TCP
connection in the environment.
The CGI spec (rfc 3875) says: "The REMOTE_ADDR variable MUST be set to
the network address of the client sending the request to the server".
The WSGI spec (pep 333) says: "A server or gateway **should** attempt to
provide as many other CGI variables as are applicable".
REMOTE_ADDR might be less relevant if it just points at a front-end
server, but I would expect it to be set anyway.
/Mads
On 4/12/21 11:33 AM, Conservancy Kallithea wrote:
TRACEBACK:
Traceback (most recent call last):
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py",
line 82, in __call__
response = self.wrapped_dispatch(controller, environ, context)
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/errorpage.py",
line 104, in __call__
resp = self.next_handler(controller, environ, context)
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/caching.py",
line 54, in __call__
return self.next_handler(controller, environ, context)
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/session.py",
line 71, in __call__
response = self.next_handler(controller, environ, context)
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/i18n.py",
line 71, in __call__
return self.next_handler(controller, environ, context)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py",
line 243, in _dispatch
return controller(environ, context)
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py",
line 511, in __call__
ip_addr=ip_addr,
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py",
line 458, in _determine_auth_user
authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr)
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py",
line 391, in make
if not check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py",
line 806, in check_ip_access
if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):
File "/usr/local/src/kallithea/lib/python3.7/site-packages/ipaddr.py", line
83, in IPAddress
address)
ValueError: '23-253-224-235-xrip.DOMAIN' does not appear to be an IPv4 or IPv6
address
ENVIRON:
CONTENT_LENGTH: '0'
HTTP_ACCEPT: '*/*'
HTTP_ACCEPT_ENCODING: 'gzip'
HTTP_CLIENT_IP: '23-253-224-235-cip.DOMAIN'
HTTP_CONNECTION: 'Keep-Alive'
HTTP_CONTACT: 'root@23-253-224-235-con.DOMAIN'
HTTP_FROM: 'root@23-253-224-235-from.DOMAIN'
HTTP_HOST: '23.253.224.235'
HTTP_REFERER: 'https://23-253-224-235-ref.DOMAIN/ref'
HTTP_TRUE_CLIENT_IP: '23-253-224-235-tcip.DOMAIN'
HTTP_USER_AGENT: 'Mozilla/5.0 (X11; Linux x86_64; rv:73.0)
Gecko/20100101 Firefox/73.0root@user-agent.DOMAIN'
HTTP_X_CLIENT_IP: '23-253-224-235-xcip.DOMAIN'
HTTP_X_FORWARDED_SERVER: 'k.sfconservancy.org'
HTTP_X_ORIGINATING_IP: '23-253-224-235-xoip.DOMAIN'
HTTP_X_REAL_IP: '23-253-224-235-xrip.DOMAIN'
PATH_INFO: '/error/document'
QUERY_STRING: ''
REQUEST_METHOD: 'GET'
SCRIPT_NAME: ''
SERVER_PROTOCOL: 'HTTP/1.1'
SERVER_SOFTWARE: 'waitress'
WSGI:
backlash.exc_environ: {'REQUEST_METHOD': 'GET', 'SERVER_SOFTWARE': 'waitress', 'SERVER_PROTOCOL': 'HTTP/1.1', 'SCRIPT_NAME':
'', 'PATH_INFO': '/', 'QUERY_STRING': '', 'wsgi.url_scheme': 'https', 'wsgi.version': (1, 0), 'wsgi.errors': <_io.TextIOWrapper
name='' mode='w' encoding='UTF-8'>, 'wsgi.multithread': True, 'wsgi.multiprocess': False, 'wsgi.run_once': False,
'wsgi.input': <_io.BytesIO object at 0x7f60d84b69e8>, 'wsgi.file_wrapper': , 'wsgi.input_terminated':
Kallithea crashes when "IP address" headers have hostnames
Hi Kallithea team,
I got this crash report I thought I should pass on. The short version:
some IP address/Internet mapping service visited us, and provided a full
DNS hostname in the various IP address headers. The code crashes because
it assumes any string in these headers /must/ be an IP address, without
checking.
I'm personally not particularly worried about this bug, since this
obviously isn't a "real" visitor and I'm sure Kallithea isn't the only
software out there making this assumption. But I also know how sometimes
one bug can lead to another, so I wanted to let you know at least.
23.253.224.235 is the IPv4 address of our Kallithea server, so the way
it appears in the header values here is part of how this mapping project
works. Let me know if there's any other information I can provide that's
helpful.
On 4/12/21 11:33 AM, Conservancy Kallithea wrote:
TRACEBACK:
Traceback (most recent call last):
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py",
line 82, in __call__
response = self.wrapped_dispatch(controller, environ, context)
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/errorpage.py",
line 104, in __call__
resp = self.next_handler(controller, environ, context)
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/caching.py",
line 54, in __call__
return self.next_handler(controller, environ, context)
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/session.py",
line 71, in __call__
response = self.next_handler(controller, environ, context)
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/i18n.py",
line 71, in __call__
return self.next_handler(controller, environ, context)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py",
line 243, in _dispatch
return controller(environ, context)
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py",
line 511, in __call__
ip_addr=ip_addr,
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py",
line 458, in _determine_auth_user
authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr)
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py",
line 391, in make
if not check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
File
"/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py",
line 806, in check_ip_access
if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):
File "/usr/local/src/kallithea/lib/python3.7/site-packages/ipaddr.py", line
83, in IPAddress
address)
ValueError: '23-253-224-235-xrip.DOMAIN' does not appear to be an IPv4 or IPv6
address
ENVIRON:
CONTENT_LENGTH: '0'
HTTP_ACCEPT: '*/*'
HTTP_ACCEPT_ENCODING: 'gzip'
HTTP_CLIENT_IP: '23-253-224-235-cip.DOMAIN'
HTTP_CONNECTION: 'Keep-Alive'
HTTP_CONTACT: 'root@23-253-224-235-con.DOMAIN'
HTTP_FROM: 'root@23-253-224-235-from.DOMAIN'
HTTP_HOST: '23.253.224.235'
HTTP_REFERER: 'https://23-253-224-235-ref.DOMAIN/ref'
HTTP_TRUE_CLIENT_IP: '23-253-224-235-tcip.DOMAIN'
HTTP_USER_AGENT: 'Mozilla/5.0 (X11; Linux x86_64; rv:73.0)
Gecko/20100101 Firefox/73.0 root@user-agent.DOMAIN'
HTTP_X_CLIENT_IP: '23-253-224-235-xcip.DOMAIN'
HTTP_X_FORWARDED_SERVER: 'k.sfconservancy.org'
HTTP_X_ORIGINATING_IP: '23-253-224-235-xoip.DOMAIN'
HTTP_X_REAL_IP: '23-253-224-235-xrip.DOMAIN'
PATH_INFO: '/error/document'
QUERY_STRING: ''
REQUEST_METHOD: 'GET'
SCRIPT_NAME: ''
SERVER_PROTOCOL: 'HTTP/1.1'
SERVER_SOFTWARE: 'waitress'
WSGI:
backlash.exc_environ: {'REQUEST_METHOD': 'GET', 'SERVER_SOFTWARE': 'waitress', 'SERVER_PROTOCOL': 'HTTP/1.1', 'SCRIPT_NAME':
'', 'PATH_INFO': '/', 'QUERY_STRING': '', 'wsgi.url_scheme': 'https', 'wsgi.version': (1, 0), 'wsgi.errors': <_io.TextIOWrapper
name='' mode='w' encoding='UTF-8'>, 'wsgi.multithread': True, 'wsgi.multiprocess': False, 'wsgi.run_once': False,
'wsgi.input': <_io.BytesIO object at 0x7f60d84b69e8>, 'wsgi.file_wrapper': , 'wsgi.input_terminated': True, 'HTTP_HOST': '23.253.224.235', 'HTTP_USER_AGENT':
'Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0 root@user-agent.DOMAIN', 'HTTP_ACCEPT': '*/*',
'HTTP_CLIENT_IP': '23-253-224-235-cip.DOMAIN', 'HTTP_CONTACT': 'root@23-253-224-235-con.DOMAIN', 'HTTP_FROM':
'root@23-253-224-235-from.DOMAIN', 'HTTP_REFERER': 'https://23-253-224-235-ref.DOMAIN/ref', 'HTTP_TRUE_CLIENT_IP':
'23-253-224-235-tcip.DOMAIN', 'HTTP_X_CLIENT_IP': '23-253-224-235-xcip.DOMAIN', 'HTTP_X_ORIGINATING_IP':
'23-253-224-235-xoip.DOMAIN', 'HTTP_X_REAL_IP': '23-253-224-235-xrip.DOMAIN', 'HTTP_ACCEPT_ENCODING': 'gzip',
'HTTP_X_FORWARDED_SERVER': 'k.sfconservancy.org', 'HTTP_CONNECTION': 'Keep-Alive',
