# HG changeset patch # User Valentin Kleibel # Date 2024-08-26 19:13:06 # Node ID aa51aca7fd1a543d669dbca660ee87a78d96d689 # Parent 0245e0ebddd09c6bcc7b1cd74708cf19a49ee57e controller: Handle UnicodeDecodeError from webob decoding invalid URLs webob will try to utf-8 decode all %-encoded bytes in URL-parameters, but will not handle Unicode erors ... and neither did Kallithea. Visiting a URL like http://localhost:5000/?%AD would thus give an unhandled exception showing "Internal Server Error" to the user, and logging the full traceback and: WebApp Error: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xad in position 0: invalid start byte This has been seen a lot recently from attackers probing for a php vulnerability https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/ . Now handle these exceptions more nicely and reject with "400 Bad Request". diff --git a/CONTRIBUTORS b/CONTRIBUTORS --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -3,6 +3,7 @@ List of contributors to Kallithea projec Mads Kiilerich 2016-2024 Aristotelis Stageiritis 2024 Poesty Li 2024 + Valentin Kleibel 2024 Manuel Jacob 2019-2020 2022-2023 Mathias De Mare 2023 qy117121 2023 diff --git a/kallithea/controllers/base.py b/kallithea/controllers/base.py --- a/kallithea/controllers/base.py +++ b/kallithea/controllers/base.py @@ -456,8 +456,16 @@ class BaseController(TGController): if request.method not in ['GET', 'HEAD', 'POST']: raise webob.exc.HTTPMethodNotAllowed() + try: + params = request.params + except UnicodeDecodeError as e: + # webobj will leak UnicodeDecodeError when decoding invalid + # URLencoded byte sequences in parameters + log.error('Error decoding request parameters: %s' % e) + raise webob.exc.HTTPBadRequest() + # Also verify the _method override - no longer allowed. - if request.params.get('_method') is None: + if params.get('_method') is None: pass # no override, no problem else: raise webob.exc.HTTPMethodNotAllowed() diff --git a/kallithea/templates/about.html b/kallithea/templates/about.html --- a/kallithea/templates/about.html +++ b/kallithea/templates/about.html @@ -27,6 +27,7 @@
  • Copyright © 2012–2024, Mads Kiilerich
  • Copyright © 2024, Aristotelis Stageiritis
  • Copyright © 2024, Poesty Li
  • +
  • Copyright © 2024, Valentin Kleibel
  • Copyright © 2019–2020, 2022–2023, Manuel Jacob
  • Copyright © 2023, Mathias De Mare
  • Copyright © 2023, qy117121