diff --git a/CONTRIBUTORS b/CONTRIBUTORS --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -3,6 +3,7 @@ List of contributors to Kallithea projec Mads Kiilerich 2016-2024 Aristotelis Stageiritis 2024 Poesty Li 2024 + Valentin Kleibel 2024 Manuel Jacob 2019-2020 2022-2023 Mathias De Mare 2023 qy117121 2023 diff --git a/kallithea/controllers/base.py b/kallithea/controllers/base.py --- a/kallithea/controllers/base.py +++ b/kallithea/controllers/base.py @@ -456,8 +456,16 @@ class BaseController(TGController): if request.method not in ['GET', 'HEAD', 'POST']: raise webob.exc.HTTPMethodNotAllowed() + try: + params = request.params + except UnicodeDecodeError as e: + # webobj will leak UnicodeDecodeError when decoding invalid + # URLencoded byte sequences in parameters + log.error('Error decoding request parameters: %s' % e) + raise webob.exc.HTTPBadRequest() + # Also verify the _method override - no longer allowed. - if request.params.get('_method') is None: + if params.get('_method') is None: pass # no override, no problem else: raise webob.exc.HTTPMethodNotAllowed() diff --git a/kallithea/templates/about.html b/kallithea/templates/about.html --- a/kallithea/templates/about.html +++ b/kallithea/templates/about.html @@ -27,6 +27,7 @@
  • Copyright © 2012–2024, Mads Kiilerich
  • Copyright © 2024, Aristotelis Stageiritis
  • Copyright © 2024, Poesty Li
  • +
  • Copyright © 2024, Valentin Kleibel
  • Copyright © 2019–2020, 2022–2023, Manuel Jacob
  • Copyright © 2023, Mathias De Mare
  • Copyright © 2023, qy117121