<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Kallithea team,</p>
<p>I got this crash report I thought I should pass on. The short
version: some IP address/Internet mapping service visited us, and
provided a full DNS hostname in the various IP address headers.
The code crashes because it assumes any string in these headers <i>must</i>
be an IP address, without checking.</p>
<p>I'm personally not particularly worried about this bug, since
this obviously isn't a "real" visitor and I'm sure Kallithea isn't
the only software out there making this assumption. But I also
know how sometimes one bug can lead to another, so I wanted to let
you know at least. 23.253.224.235 is the IPv4 address of our
Kallithea server, so the way it appears in the header values here
is part of how this mapping project works. Let me know if there's
any other information I can provide that's helpful.<br>
</p>
<div class="moz-cite-prefix">On 4/12/21 11:33 AM, Conservancy
Kallithea wrote:<br>
</div>
<blockquote type="cite"
cite="mid:20210412153307.B4A1E210032@kapok.sfconservancy.org">
<pre class="moz-quote-pre" wrap="">TRACEBACK:
Traceback (most recent call last):
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py", line 82, in __call__
response = self.wrapped_dispatch(controller, environ, context)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/errorpage.py", line 104, in __call__
resp = self.next_handler(controller, environ, context)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/caching.py", line 54, in __call__
return self.next_handler(controller, environ, context)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/session.py", line 71, in __call__
response = self.next_handler(controller, environ, context)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/i18n.py", line 71, in __call__
return self.next_handler(controller, environ, context)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py", line 243, in _dispatch
return controller(environ, context)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py", line 511, in __call__
ip_addr=ip_addr,
File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py", line 458, in _determine_auth_user
authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py", line 391, in make
if not check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py", line 806, in check_ip_access
if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):
File "/usr/local/src/kallithea/lib/python3.7/site-packages/ipaddr.py", line 83, in IPAddress
address)
ValueError: '23-253-224-235-xrip.DOMAIN' does not appear to be an IPv4 or IPv6 address
ENVIRON:
CONTENT_LENGTH: '0'
HTTP_ACCEPT: '*/*'
HTTP_ACCEPT_ENCODING: 'gzip'
HTTP_CLIENT_IP: '23-253-224-235-cip.DOMAIN'
HTTP_CONNECTION: 'Keep-Alive'
HTTP_CONTACT: '<a class="moz-txt-link-abbreviated" href="mailto:root@23-253-224-235-con.DOMAIN">root@23-253-224-235-con.DOMAIN</a>'
HTTP_FROM: '<a class="moz-txt-link-abbreviated" href="mailto:root@23-253-224-235-from.DOMAIN">root@23-253-224-235-from.DOMAIN</a>'
HTTP_HOST: '23.253.224.235'
HTTP_REFERER: '<a class="moz-txt-link-freetext" href="https://23-253-224-235-ref.DOMAIN/ref">https://23-253-224-235-ref.DOMAIN/ref</a>'
HTTP_TRUE_CLIENT_IP: '23-253-224-235-tcip.DOMAIN'
HTTP_USER_AGENT: 'Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0 <a class="moz-txt-link-abbreviated" href="mailto:root@user-agent.DOMAIN">root@user-agent.DOMAIN</a>'
HTTP_X_CLIENT_IP: '23-253-224-235-xcip.DOMAIN'
HTTP_X_FORWARDED_SERVER: 'k.sfconservancy.org'
HTTP_X_ORIGINATING_IP: '23-253-224-235-xoip.DOMAIN'
HTTP_X_REAL_IP: '23-253-224-235-xrip.DOMAIN'
PATH_INFO: '/error/document'
QUERY_STRING: ''
REQUEST_METHOD: 'GET'
SCRIPT_NAME: ''
SERVER_PROTOCOL: 'HTTP/1.1'
SERVER_SOFTWARE: 'waitress'
WSGI:
backlash.exc_environ: {'REQUEST_METHOD': 'GET', 'SERVER_SOFTWARE': 'waitress', 'SERVER_PROTOCOL': 'HTTP/1.1', 'SCRIPT_NAME': '', 'PATH_INFO': '/', 'QUERY_STRING': '', 'wsgi.url_scheme': 'https', 'wsgi.version': (1, 0), 'wsgi.errors': <_io.TextIOWrapper name='<stderr>' mode='w' encoding='UTF-8'>, 'wsgi.multithread': True, 'wsgi.multiprocess': False, 'wsgi.run_once': False, 'wsgi.input': <_io.BytesIO object at 0x7f60d84b69e8>, 'wsgi.file_wrapper': <class 'waitress.buffers.ReadOnlyFileBasedBuffer'>, 'wsgi.input_terminated': True, 'HTTP_HOST': '23.253.224.235', 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0 <a class="moz-txt-link-abbreviated" href="mailto:root@user-agent.DOMAIN">root@user-agent.DOMAIN</a>', 'HTTP_ACCEPT': '*/*', 'HTTP_CLIENT_IP': '23-253-224-235-cip.DOMAIN', 'HTTP_CONTACT': '<a class="moz-txt-link-abbreviated" href="mailto:root@23-253-224-235-con.DOMAIN">root@23-253-224-235-con.DOMAIN</a>', 'HTTP_FROM': '<a class="moz-txt-link-abbreviated" href="mailto:root@23-253-224-235-from.DOMAIN">root@23-253-224-235-from.DOMAIN</a>', 'HTTP_REFERER': '<a class="moz-txt-link-freetext" href="https://23-253-224-235-ref.DOMAIN/ref">https://23-253-224-235-ref.DOMAIN/ref</a>', 'HTTP_TRUE_CLIENT_IP': '23-253-224-235-tcip.DOMAIN', 'HTTP_X_CLIENT_IP': '23-253-224-235-xcip.DOMAIN', 'HTTP_X_ORIGINATING_IP': '23-253-224-235-xoip.DOMAIN', 'HTTP_X_REAL_IP': '23-253-224-235-xrip.DOMAIN', 'HTTP_ACCEPT_ENCODING': 'gzip', 'HTTP_X_FORWARDED_SERVER': 'k.sfconservancy.org', 'HTTP_CONNECTION': 'Keep-Alive', 'paste.registry': <tg.support.registry.Registry object at 0x7f60cb659710>, 'wsgi._org_proto': 'http', 'tg.locals': <tg.wsgiapp.RequestLocals object at 0x7f60d83a1eb8>, 'beaker.cache': <beaker.cache.CacheManager object at 0x7f60dc6b30b8>, 'beaker.session': {'_domain': None, '_path': '/', '_accessed_time': 1618241587.6123757, '_creation_time': 1618241587.6123757}, 'beaker.get_session': <bound method SessionApplicationWrapper._get_session of <tg.appwrappers.session.SessionApplicationWrapper object at 0x7f60dc6b3048>>, 'webob._parsed_query_vars': (GET([]), '')}
backlash.exc_info: (<class 'ValueError'>, ValueError("'23-253-224-235-xrip.DOMAIN' does not appear to be an IPv4 or IPv6 address"), <traceback object at 0x7f60d862a8c8>)
beaker.cache: <beaker.cache.CacheManager object at 0x7f60dc6b30b8>
beaker.get_session: <bound method SessionApplicationWrapper._get_session of <tg.appwrappers.session.SessionApplicationWrapper object at 0x7f60dc6b3048>>
beaker.session: {'_domain': None, '_path': '/', '_accessed_time': 1618241587.6204958, '_creation_time': 1618241587.6204958}
paste.registry: <tg.support.registry.Registry object at 0x7f60cb659710>
tg.locals: <tg.wsgiapp.RequestLocals object at 0x7f60d83a1eb8>
tg.original_request: <Request at 0x7f60cb5e4668 GET <a class="moz-txt-link-freetext" href="https://23.253.224.235/">https://23.253.224.235/</a>>
tg.original_response: <Response at 0x7f60d844d470 500 Internal Server Error>
webob._parsed_query_vars: (GET([]), '')
webob.is_body_seekable: True
wsgi._org_proto: 'http'
wsgi.errors: <_io.TextIOWrapper name='<stderr>' mode='w' encoding='UTF-8'>
wsgi.file_wrapper: <class 'waitress.buffers.ReadOnlyFileBasedBuffer'>
wsgi.input: <_io.BytesIO object at 0x7f60d94ac150>
wsgi.input_terminated: True
wsgi.multiprocess: False
wsgi.multithread: True
wsgi.run_once: False
wsgi.url_scheme: 'https'
wsgi.version: (1, 0)
REQUEST:
<Request at 0x7f60d84f63c8 GET <a class="moz-txt-link-freetext" href="https://23.253.224.235/error/document">https://23.253.224.235/error/document</a>></pre>
</blockquote>
<div class="moz-signature">-- <br>
Brett Smith</div>
</body>
</html>