<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 4/13/21 4:29 PM, Brett Smith wrote:<br>
</div>
<blockquote type="cite"
cite="mid:25e2a504-7140-6833-54ef-2e3074606a40@sfconservancy.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Hi Kallithea team,</p>
<p>I got this crash report I thought I should pass on. The short
version: some IP address/Internet mapping service visited us,
and provided a full DNS hostname in the various IP address
headers. The code crashes because it assumes any string in these
headers <i>must</i> be an IP address, without checking.</p>
<p>I'm personally not particularly worried about this bug, since
this obviously isn't a "real" visitor and I'm sure Kallithea
isn't the only software out there making this assumption. But I
also know how sometimes one bug can lead to another, so I wanted
to let you know at least. 23.253.224.235 is the IPv4 address of
our Kallithea server, so the way it appears in the header values
here is part of how this mapping project works. Let me know if
there's any other information I can provide that's helpful.<br>
</p>
</blockquote>
<p><br>
</p>
<p>Thanks for the report. We will improve the handling of invalid
client addresses.</p>
<p><br>
</p>
<p>But I'm surprised your webserver (waitress?) according to the
environment dump apparently didn't set REMOTE_ADDR from the actual
TCP connection in the environment. <br>
</p>
<p>The CGI spec (rfc 3875) says: "The REMOTE_ADDR variable MUST be
set to the network address of the client sending the request to
the server".</p>
<p>The WSGI spec (pep 333) says: "A server or gateway *<strong>should</strong>*
attempt to provide as many other CGI
variables as are applicable".</p>
<p>REMOTE_ADDR might be less relevant if it just points at a
front-end server, but I would expect it to be set anyway.</p>
<p>/Mads<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:25e2a504-7140-6833-54ef-2e3074606a40@sfconservancy.org">
<p> </p>
<div class="moz-cite-prefix">On 4/12/21 11:33 AM, Conservancy
Kallithea wrote:<br>
</div>
<blockquote type="cite"
cite="mid:20210412153307.B4A1E210032@kapok.sfconservancy.org">
<pre class="moz-quote-pre" wrap="">TRACEBACK:
Traceback (most recent call last):
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py", line 82, in __call__
response = self.wrapped_dispatch(controller, environ, context)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/errorpage.py", line 104, in __call__
resp = self.next_handler(controller, environ, context)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/caching.py", line 54, in __call__
return self.next_handler(controller, environ, context)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/session.py", line 71, in __call__
response = self.next_handler(controller, environ, context)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/i18n.py", line 71, in __call__
return self.next_handler(controller, environ, context)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py", line 243, in _dispatch
return controller(environ, context)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py", line 511, in __call__
ip_addr=ip_addr,
File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py", line 458, in _determine_auth_user
authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr)
File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py", line 391, in make
if not check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py", line 806, in check_ip_access
if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):
File "/usr/local/src/kallithea/lib/python3.7/site-packages/ipaddr.py", line 83, in IPAddress
address)
ValueError: '23-253-224-235-xrip.DOMAIN' does not appear to be an IPv4 or IPv6 address
ENVIRON:
CONTENT_LENGTH: '0'
HTTP_ACCEPT: '*/*'
HTTP_ACCEPT_ENCODING: 'gzip'
HTTP_CLIENT_IP: '23-253-224-235-cip.DOMAIN'
HTTP_CONNECTION: 'Keep-Alive'
HTTP_CONTACT: '<a class="moz-txt-link-abbreviated" href="mailto:root@23-253-224-235-con.DOMAIN" moz-do-not-send="true">root@23-253-224-235-con.DOMAIN</a>'
HTTP_FROM: '<a class="moz-txt-link-abbreviated" href="mailto:root@23-253-224-235-from.DOMAIN" moz-do-not-send="true">root@23-253-224-235-from.DOMAIN</a>'
HTTP_HOST: '23.253.224.235'
HTTP_REFERER: '<a class="moz-txt-link-freetext" href="https://23-253-224-235-ref.DOMAIN/ref" moz-do-not-send="true">https://23-253-224-235-ref.DOMAIN/ref</a>'
HTTP_TRUE_CLIENT_IP: '23-253-224-235-tcip.DOMAIN'
HTTP_USER_AGENT: 'Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0 <a class="moz-txt-link-abbreviated" href="mailto:root@user-agent.DOMAIN" moz-do-not-send="true">root@user-agent.DOMAIN</a>'
HTTP_X_CLIENT_IP: '23-253-224-235-xcip.DOMAIN'
HTTP_X_FORWARDED_SERVER: 'k.sfconservancy.org'
HTTP_X_ORIGINATING_IP: '23-253-224-235-xoip.DOMAIN'
HTTP_X_REAL_IP: '23-253-224-235-xrip.DOMAIN'
PATH_INFO: '/error/document'
QUERY_STRING: ''
REQUEST_METHOD: 'GET'
SCRIPT_NAME: ''
SERVER_PROTOCOL: 'HTTP/1.1'
SERVER_SOFTWARE: 'waitress'
WSGI:
backlash.exc_environ: {'REQUEST_METHOD': 'GET', 'SERVER_SOFTWARE': 'waitress', 'SERVER_PROTOCOL': 'HTTP/1.1', 'SCRIPT_NAME': '', 'PATH_INFO': '/', 'QUERY_STRING': '', 'wsgi.url_scheme': 'https', 'wsgi.version': (1, 0), 'wsgi.errors': <_io.TextIOWrapper name='<stderr>' mode='w' encoding='UTF-8'>, 'wsgi.multithread': True, 'wsgi.multiprocess': False, 'wsgi.run_once': False, 'wsgi.input': <_io.BytesIO object at 0x7f60d84b69e8>, 'wsgi.file_wrapper': <class 'waitress.buffers.ReadOnlyFileBasedBuffer'>, 'wsgi.input_terminated': True, 'HTTP_HOST': '23.253.224.235', 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0 <a class="moz-txt-link-abbreviated" href="mailto:root@user-agent.DOMAIN" moz-do-not-send="true">root@user-agent.DOMAIN</a>', 'HTTP_ACCEPT': '*/*', 'HTTP_CLIENT_IP': '23-253-224-235-cip.DOMAIN', 'HTTP_CONTACT': '<a class="moz-txt-link-abbreviated" href="mailto:root@23-253-224-235-con.DOMAIN" moz-do-not-send="true">root@23-253-224-235-con.DOMAIN</a>', 'HTTP_FROM': '<a class="moz-txt-link-abbreviated" href="mailto:root@23-253-224-235-from.DOMAIN" moz-do-not-send="true">root@23-253-224-235-from.DOMAIN</a>', 'HTTP_REFERER': '<a class="moz-txt-link-freetext" href="https://23-253-224-235-ref.DOMAIN/ref" moz-do-not-send="true">https://23-253-224-235-ref.DOMAIN/ref</a>', 'HTTP_TRUE_CLIENT_IP': '23-253-224-235-tcip.DOMAIN', 'HTTP_X_CLIENT_IP': '23-253-224-235-xcip.DOMAIN', 'HTTP_X_ORIGINATING_IP': '23-253-224-235-xoip.DOMAIN', 'HTTP_X_REAL_IP': '23-253-224-235-xrip.DOMAIN', 'HTTP_ACCEPT_ENCODING': 'gzip', 'HTTP_X_FORWARDED_SERVER': 'k.sfconservancy.org', 'HTTP_CONNECTION': 'Keep-Alive', 'paste.registry': <tg.support.registry.Registry object at 0x7f60cb659710>, 'wsgi._org_proto': 'http', 'tg.locals': <tg.wsgiapp.RequestLocals object at 0x7f60d83a1eb8>, 'beaker.cache': <beaker.cache.CacheManager object at 0x7f60dc6b30b8>, 'beaker.session': {'_domain': None, '_path': '/', '_accessed_time': 1618241587.6123757, '_creation_time': 1618241587.6123757}, 'beaker.get_session': <bound method SessionApplicationWrapper._get_session of <tg.appwrappers.session.SessionApplicationWrapper object at 0x7f60dc6b3048>>, 'webob._parsed_query_vars': (GET([]), '')}
backlash.exc_info: (<class 'ValueError'>, ValueError("'23-253-224-235-xrip.DOMAIN' does not appear to be an IPv4 or IPv6 address"), <traceback object at 0x7f60d862a8c8>)
beaker.cache: <beaker.cache.CacheManager object at 0x7f60dc6b30b8>
beaker.get_session: <bound method SessionApplicationWrapper._get_session of <tg.appwrappers.session.SessionApplicationWrapper object at 0x7f60dc6b3048>>
beaker.session: {'_domain': None, '_path': '/', '_accessed_time': 1618241587.6204958, '_creation_time': 1618241587.6204958}
paste.registry: <tg.support.registry.Registry object at 0x7f60cb659710>
tg.locals: <tg.wsgiapp.RequestLocals object at 0x7f60d83a1eb8>
tg.original_request: <Request at 0x7f60cb5e4668 GET <a class="moz-txt-link-freetext" href="https://23.253.224.235/" moz-do-not-send="true">https://23.253.224.235/</a>>
tg.original_response: <Response at 0x7f60d844d470 500 Internal Server Error>
webob._parsed_query_vars: (GET([]), '')
webob.is_body_seekable: True
wsgi._org_proto: 'http'
wsgi.errors: <_io.TextIOWrapper name='<stderr>' mode='w' encoding='UTF-8'>
wsgi.file_wrapper: <class 'waitress.buffers.ReadOnlyFileBasedBuffer'>
wsgi.input: <_io.BytesIO object at 0x7f60d94ac150>
wsgi.input_terminated: True
wsgi.multiprocess: False
wsgi.multithread: True
wsgi.run_once: False
wsgi.url_scheme: 'https'
wsgi.version: (1, 0)
REQUEST:
<Request at 0x7f60d84f63c8 GET <a class="moz-txt-link-freetext" href="https://23.253.224.235/error/document" moz-do-not-send="true">https://23.253.224.235/error/document</a>></pre>
</blockquote>
<div class="moz-signature">-- <br>
Brett Smith</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
kallithea-general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:kallithea-general@sfconservancy.org">kallithea-general@sfconservancy.org</a>
<a class="moz-txt-link-freetext" href="https://lists.sfconservancy.org/mailman/listinfo/kallithea-general">https://lists.sfconservancy.org/mailman/listinfo/kallithea-general</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>