Re: Kallithea crashes when "IP address" headers have hostnames
On 4/17/21 4:03 PM, Mads Kiilerich wrote: But I'm surprised your webserver (waitress?) according to the environment dump apparently didn't set REMOTE_ADDR from the actual TCP connection in the environment. It did, I manually took that out of the report (along with similar variables) to keep some of our server configuration details private. Sorry I didn't make that clearer. But it's a totally normal boring localhost address. :) -- Brett Smith ___ kallithea-general mailing list kallithea-general@sfconservancy.org https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
Re: Kallithea crashes when "IP address" headers have hostnames
On 4/13/21 4:29 PM, Brett Smith wrote: Hi Kallithea team, I got this crash report I thought I should pass on. The short version: some IP address/Internet mapping service visited us, and provided a full DNS hostname in the various IP address headers. The code crashes because it assumes any string in these headers /must/ be an IP address, without checking. I'm personally not particularly worried about this bug, since this obviously isn't a "real" visitor and I'm sure Kallithea isn't the only software out there making this assumption. But I also know how sometimes one bug can lead to another, so I wanted to let you know at least. 23.253.224.235 is the IPv4 address of our Kallithea server, so the way it appears in the header values here is part of how this mapping project works. Let me know if there's any other information I can provide that's helpful. Thanks for the report. We will improve the handling of invalid client addresses. But I'm surprised your webserver (waitress?) according to the environment dump apparently didn't set REMOTE_ADDR from the actual TCP connection in the environment. The CGI spec (rfc 3875) says: "The REMOTE_ADDR variable MUST be set to the network address of the client sending the request to the server". The WSGI spec (pep 333) says: "A server or gateway **should** attempt to provide as many other CGI variables as are applicable". REMOTE_ADDR might be less relevant if it just points at a front-end server, but I would expect it to be set anyway. /Mads On 4/12/21 11:33 AM, Conservancy Kallithea wrote: TRACEBACK: Traceback (most recent call last): File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py", line 82, in __call__ response = self.wrapped_dispatch(controller, environ, context) File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/errorpage.py", line 104, in __call__ resp = self.next_handler(controller, environ, context) File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/caching.py", line 54, in __call__ return self.next_handler(controller, environ, context) File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/session.py", line 71, in __call__ response = self.next_handler(controller, environ, context) File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/i18n.py", line 71, in __call__ return self.next_handler(controller, environ, context) File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py", line 243, in _dispatch return controller(environ, context) File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py", line 511, in __call__ ip_addr=ip_addr, File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py", line 458, in _determine_auth_user authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr) File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py", line 391, in make if not check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips): File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py", line 806, in check_ip_access if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip): File "/usr/local/src/kallithea/lib/python3.7/site-packages/ipaddr.py", line 83, in IPAddress address) ValueError: '23-253-224-235-xrip.DOMAIN' does not appear to be an IPv4 or IPv6 address ENVIRON: CONTENT_LENGTH: '0' HTTP_ACCEPT: '*/*' HTTP_ACCEPT_ENCODING: 'gzip' HTTP_CLIENT_IP: '23-253-224-235-cip.DOMAIN' HTTP_CONNECTION: 'Keep-Alive' HTTP_CONTACT: 'root@23-253-224-235-con.DOMAIN' HTTP_FROM: 'root@23-253-224-235-from.DOMAIN' HTTP_HOST: '23.253.224.235' HTTP_REFERER: 'https://23-253-224-235-ref.DOMAIN/ref' HTTP_TRUE_CLIENT_IP: '23-253-224-235-tcip.DOMAIN' HTTP_USER_AGENT: 'Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0root@user-agent.DOMAIN' HTTP_X_CLIENT_IP: '23-253-224-235-xcip.DOMAIN' HTTP_X_FORWARDED_SERVER: 'k.sfconservancy.org' HTTP_X_ORIGINATING_IP: '23-253-224-235-xoip.DOMAIN' HTTP_X_REAL_IP: '23-253-224-235-xrip.DOMAIN' PATH_INFO: '/error/document' QUERY_STRING: '' REQUEST_METHOD: 'GET' SCRIPT_NAME: '' SERVER_PROTOCOL: 'HTTP/1.1' SERVER_SOFTWARE: 'waitress' WSGI: backlash.exc_environ: {'REQUEST_METHOD': 'GET', 'SERVER_SOFTWARE': 'waitress', 'SERVER_PROTOCOL': 'HTTP/1.1', 'SCRIPT_NAME': '', 'PATH_INFO': '/', 'QUERY_STRING': '', 'wsgi.url_scheme': 'https', 'wsgi.version': (1, 0), 'wsgi.errors': <_io.TextIOWrapper name='' mode='w' encoding='UTF-8'>, 'wsgi.multithread': True, 'wsgi.multiprocess': False, 'wsgi.run_once': False, 'wsgi.input': <_io.BytesIO object at 0x7f60d84b69e8>, 'wsgi.file_wrapper': , 'wsgi.input_terminated':
Kallithea crashes when "IP address" headers have hostnames
Hi Kallithea team, I got this crash report I thought I should pass on. The short version: some IP address/Internet mapping service visited us, and provided a full DNS hostname in the various IP address headers. The code crashes because it assumes any string in these headers /must/ be an IP address, without checking. I'm personally not particularly worried about this bug, since this obviously isn't a "real" visitor and I'm sure Kallithea isn't the only software out there making this assumption. But I also know how sometimes one bug can lead to another, so I wanted to let you know at least. 23.253.224.235 is the IPv4 address of our Kallithea server, so the way it appears in the header values here is part of how this mapping project works. Let me know if there's any other information I can provide that's helpful. On 4/12/21 11:33 AM, Conservancy Kallithea wrote: TRACEBACK: Traceback (most recent call last): File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py", line 82, in __call__ response = self.wrapped_dispatch(controller, environ, context) File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/errorpage.py", line 104, in __call__ resp = self.next_handler(controller, environ, context) File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/caching.py", line 54, in __call__ return self.next_handler(controller, environ, context) File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/session.py", line 71, in __call__ response = self.next_handler(controller, environ, context) File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/i18n.py", line 71, in __call__ return self.next_handler(controller, environ, context) File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py", line 243, in _dispatch return controller(environ, context) File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py", line 511, in __call__ ip_addr=ip_addr, File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py", line 458, in _determine_auth_user authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr) File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py", line 391, in make if not check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips): File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py", line 806, in check_ip_access if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip): File "/usr/local/src/kallithea/lib/python3.7/site-packages/ipaddr.py", line 83, in IPAddress address) ValueError: '23-253-224-235-xrip.DOMAIN' does not appear to be an IPv4 or IPv6 address ENVIRON: CONTENT_LENGTH: '0' HTTP_ACCEPT: '*/*' HTTP_ACCEPT_ENCODING: 'gzip' HTTP_CLIENT_IP: '23-253-224-235-cip.DOMAIN' HTTP_CONNECTION: 'Keep-Alive' HTTP_CONTACT: 'root@23-253-224-235-con.DOMAIN' HTTP_FROM: 'root@23-253-224-235-from.DOMAIN' HTTP_HOST: '23.253.224.235' HTTP_REFERER: 'https://23-253-224-235-ref.DOMAIN/ref' HTTP_TRUE_CLIENT_IP: '23-253-224-235-tcip.DOMAIN' HTTP_USER_AGENT: 'Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0 root@user-agent.DOMAIN' HTTP_X_CLIENT_IP: '23-253-224-235-xcip.DOMAIN' HTTP_X_FORWARDED_SERVER: 'k.sfconservancy.org' HTTP_X_ORIGINATING_IP: '23-253-224-235-xoip.DOMAIN' HTTP_X_REAL_IP: '23-253-224-235-xrip.DOMAIN' PATH_INFO: '/error/document' QUERY_STRING: '' REQUEST_METHOD: 'GET' SCRIPT_NAME: '' SERVER_PROTOCOL: 'HTTP/1.1' SERVER_SOFTWARE: 'waitress' WSGI: backlash.exc_environ: {'REQUEST_METHOD': 'GET', 'SERVER_SOFTWARE': 'waitress', 'SERVER_PROTOCOL': 'HTTP/1.1', 'SCRIPT_NAME': '', 'PATH_INFO': '/', 'QUERY_STRING': '', 'wsgi.url_scheme': 'https', 'wsgi.version': (1, 0), 'wsgi.errors': <_io.TextIOWrapper name='' mode='w' encoding='UTF-8'>, 'wsgi.multithread': True, 'wsgi.multiprocess': False, 'wsgi.run_once': False, 'wsgi.input': <_io.BytesIO object at 0x7f60d84b69e8>, 'wsgi.file_wrapper': , 'wsgi.input_terminated': True, 'HTTP_HOST': '23.253.224.235', 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0 root@user-agent.DOMAIN', 'HTTP_ACCEPT': '*/*', 'HTTP_CLIENT_IP': '23-253-224-235-cip.DOMAIN', 'HTTP_CONTACT': 'root@23-253-224-235-con.DOMAIN', 'HTTP_FROM': 'root@23-253-224-235-from.DOMAIN', 'HTTP_REFERER': 'https://23-253-224-235-ref.DOMAIN/ref', 'HTTP_TRUE_CLIENT_IP': '23-253-224-235-tcip.DOMAIN', 'HTTP_X_CLIENT_IP': '23-253-224-235-xcip.DOMAIN', 'HTTP_X_ORIGINATING_IP': '23-253-224-235-xoip.DOMAIN', 'HTTP_X_REAL_IP': '23-253-224-235-xrip.DOMAIN', 'HTTP_ACCEPT_ENCODING': 'gzip', 'HTTP_X_FORWARDED_SERVER': 'k.sfconservancy.org', 'HTTP_CONNECTION': 'Keep-Alive',