Kallithea crashes when "IP address" headers have hostnames

Brett Smith Tue, 13 Apr 2021 07:29:51 -0700

Hi Kallithea team,

I got this crash report I thought I should pass on. The short version:some IP address/Internet mapping service visited us, and provided a fullDNS hostname in the various IP address headers. The code crashes becauseit assumes any string in these headers /must/ be an IP address, withoutchecking.

I'm personally not particularly worried about this bug, since thisobviously isn't a "real" visitor and I'm sure Kallithea isn't the onlysoftware out there making this assumption. But I also know how sometimesone bug can lead to another, so I wanted to let you know at least.23.253.224.235 is the IPv4 address of our Kallithea server, so the wayit appears in the header values here is part of how this mapping projectworks. Let me know if there's any other information I can provide that'shelpful.


On 4/12/21 11:33 AM, Conservancy Kallithea wrote:

TRACEBACK:
Traceback (most recent call last):
   File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py", 
line 82, in __call__
     response = self.wrapped_dispatch(controller, environ, context)
   File 
"/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/errorpage.py",
 line 104, in __call__
     resp = self.next_handler(controller, environ, context)
   File 
"/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/caching.py",
 line 54, in __call__
     return self.next_handler(controller, environ, context)
   File 
"/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/session.py",
 line 71, in __call__
     response = self.next_handler(controller, environ, context)
   File 
"/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/i18n.py", 
line 71, in __call__
     return self.next_handler(controller, environ, context)
   File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py", 
line 243, in _dispatch
     return controller(environ, context)
   File 
"/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py", 
line 511, in __call__
     ip_addr=ip_addr,
   File 
"/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py", 
line 458, in _determine_auth_user
     authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr)
   File 
"/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py", 
line 391, in make
     if not check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
   File 
"/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py", 
line 806, in check_ip_access
     if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):
   File "/usr/local/src/kallithea/lib/python3.7/site-packages/ipaddr.py", line 
83, in IPAddress
     address)
ValueError: '23-253-224-235-xrip.DOMAIN' does not appear to be an IPv4 or IPv6 
address


ENVIRON:
        CONTENT_LENGTH: '0'
        HTTP_ACCEPT: '*/*'
        HTTP_ACCEPT_ENCODING: 'gzip'
        HTTP_CLIENT_IP: '23-253-224-235-cip.DOMAIN'
        HTTP_CONNECTION: 'Keep-Alive'
        HTTP_CONTACT: 'root@23-253-224-235-con.DOMAIN'
        HTTP_FROM: 'root@23-253-224-235-from.DOMAIN'
        HTTP_HOST: '23.253.224.235'
        HTTP_REFERER: 'https://23-253-224-235-ref.DOMAIN/ref'
        HTTP_TRUE_CLIENT_IP: '23-253-224-235-tcip.DOMAIN'
        HTTP_USER_AGENT: 'Mozilla/5.0 (X11; Linux x86_64; rv:73.0) 
Gecko/20100101 Firefox/73.0 root@user-agent.DOMAIN'
        HTTP_X_CLIENT_IP: '23-253-224-235-xcip.DOMAIN'
        HTTP_X_FORWARDED_SERVER: 'k.sfconservancy.org'
        HTTP_X_ORIGINATING_IP: '23-253-224-235-xoip.DOMAIN'
        HTTP_X_REAL_IP: '23-253-224-235-xrip.DOMAIN'
        PATH_INFO: '/error/document'
        QUERY_STRING: ''
        REQUEST_METHOD: 'GET'
        SCRIPT_NAME: ''
        SERVER_PROTOCOL: 'HTTP/1.1'
        SERVER_SOFTWARE: 'waitress'


WSGI:
        backlash.exc_environ: {'REQUEST_METHOD': 'GET', 'SERVER_SOFTWARE': 'waitress', 'SERVER_PROTOCOL': 'HTTP/1.1', 'SCRIPT_NAME': 
'', 'PATH_INFO': '/', 'QUERY_STRING': '', 'wsgi.url_scheme': 'https', 'wsgi.version': (1, 0), 'wsgi.errors': <_io.TextIOWrapper 
name='<stderr>' mode='w' encoding='UTF-8'>, 'wsgi.multithread': True, 'wsgi.multiprocess': False, 'wsgi.run_once': False, 
'wsgi.input': <_io.BytesIO object at 0x7f60d84b69e8>, 'wsgi.file_wrapper': <class 
'waitress.buffers.ReadOnlyFileBasedBuffer'>, 'wsgi.input_terminated': True, 'HTTP_HOST': '23.253.224.235', 'HTTP_USER_AGENT': 
'Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0 root@user-agent.DOMAIN', 'HTTP_ACCEPT': '*/*', 
'HTTP_CLIENT_IP': '23-253-224-235-cip.DOMAIN', 'HTTP_CONTACT': 'root@23-253-224-235-con.DOMAIN', 'HTTP_FROM': 
'root@23-253-224-235-from.DOMAIN', 'HTTP_REFERER': 'https://23-253-224-235-ref.DOMAIN/ref', 'HTTP_TRUE_CLIENT_IP': 
'23-253-224-235-tcip.DOMAIN', 'HTTP_X_CLIENT_IP': '23-253-224-235-xcip.DOMAIN', 'HTTP_X_ORIGINATING_IP': 
'23-253-224-235-xoip.DOMAIN', 'HTTP_X_REAL_IP': '23-253-224-235-xrip.DOMAIN', 'HTTP_ACCEPT_ENCODING': 'gzip', 
'HTTP_X_FORWARDED_SERVER': 'k.sfconservancy.org', 'HTTP_CONNECTION': 'Keep-Alive', 'paste.registry': <tg.support.registry.Registry 
object at 0x7f60cb659710>, 'wsgi._org_proto': 'http', 'tg.locals': <tg.wsgiapp.RequestLocals object at 0x7f60d83a1eb8>, 
'beaker.cache': <beaker.cache.CacheManager object at 0x7f60dc6b30b8>, 'beaker.session': {'_domain': None, '_path': '/', 
'_accessed_time': 1618241587.6123757, '_creation_time': 1618241587.6123757}, 'beaker.get_session': <bound method 
SessionApplicationWrapper._get_session of <tg.appwrappers.session.SessionApplicationWrapper object at 0x7f60dc6b3048>>, 
'webob._parsed_query_vars': (GET([]), '')}
        backlash.exc_info: (<class 'ValueError'>, ValueError("'23-253-224-235-xrip.DOMAIN' 
does not appear to be an IPv4 or IPv6 address"), <traceback object at 0x7f60d862a8c8>)
        beaker.cache: <beaker.cache.CacheManager object at 0x7f60dc6b30b8>
        beaker.get_session: <bound method SessionApplicationWrapper._get_session of 
<tg.appwrappers.session.SessionApplicationWrapper object at 0x7f60dc6b3048>>
        beaker.session: {'_domain': None, '_path': '/', '_accessed_time': 
1618241587.6204958, '_creation_time': 1618241587.6204958}
        paste.registry: <tg.support.registry.Registry object at 0x7f60cb659710>
        tg.locals: <tg.wsgiapp.RequestLocals object at 0x7f60d83a1eb8>
        tg.original_request: <Request at 0x7f60cb5e4668 GET 
https://23.253.224.235/>
        tg.original_response: <Response at 0x7f60d844d470 500 Internal Server 
Error>
        webob._parsed_query_vars: (GET([]), '')
        webob.is_body_seekable: True
        wsgi._org_proto: 'http'
        wsgi.errors: <_io.TextIOWrapper name='<stderr>' mode='w' 
encoding='UTF-8'>
        wsgi.file_wrapper: <class 'waitress.buffers.ReadOnlyFileBasedBuffer'>
        wsgi.input: <_io.BytesIO object at 0x7f60d94ac150>
        wsgi.input_terminated: True
        wsgi.multiprocess: False
        wsgi.multithread: True
        wsgi.run_once: False
        wsgi.url_scheme: 'https'
        wsgi.version: (1, 0)


REQUEST:
        <Request at 0x7f60d84f63c8 GET https://23.253.224.235/error/document>

--
Brett Smith

_______________________________________________
kallithea-general mailing list
kallithea-general@sfconservancy.org
https://lists.sfconservancy.org/mailman/listinfo/kallithea-general

Kallithea crashes when "IP address" headers have hostnames

Reply via email to