Kallithea crashes when "IP address" headers have hostnames

Brett Smith brett at sfconservancy.org
Tue Apr 13 14:29:42 UTC 2021 

Hi Kallithea team,

I got this crash report I thought I should pass on. The short version: 
some IP address/Internet mapping service visited us, and provided a full 
DNS hostname in the various IP address headers. The code crashes because 
it assumes any string in these headers /must/ be an IP address, without 
checking.

I'm personally not particularly worried about this bug, since this 
obviously isn't a "real" visitor and I'm sure Kallithea isn't the only 
software out there making this assumption. But I also know how sometimes 
one bug can lead to another, so I wanted to let you know at least. 
23.253.224.235 is the IPv4 address of our Kallithea server, so the way 
it appears in the header values here is part of how this mapping project 
works. Let me know if there's any other information I can provide that's 
helpful.

On 4/12/21 11:33 AM, Conservancy Kallithea wrote:
> TRACEBACK:
> Traceback (most recent call last):
>    File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py", line 82, in __call__
>      response = self.wrapped_dispatch(controller, environ, context)
>    File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/errorpage.py", line 104, in __call__
>      resp = self.next_handler(controller, environ, context)
>    File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/caching.py", line 54, in __call__
>      return self.next_handler(controller, environ, context)
>    File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/session.py", line 71, in __call__
>      response = self.next_handler(controller, environ, context)
>    File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/i18n.py", line 71, in __call__
>      return self.next_handler(controller, environ, context)
>    File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py", line 243, in _dispatch
>      return controller(environ, context)
>    File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py", line 511, in __call__
>      ip_addr=ip_addr,
>    File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py", line 458, in _determine_auth_user
>      authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr)
>    File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py", line 391, in make
>      if not check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
>    File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py", line 806, in check_ip_access
>      if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):
>    File "/usr/local/src/kallithea/lib/python3.7/site-packages/ipaddr.py", line 83, in IPAddress
>      address)
> ValueError: '23-253-224-235-xrip.DOMAIN' does not appear to be an IPv4 or IPv6 address
>
>
> ENVIRON:
> 	CONTENT_LENGTH: '0'
> 	HTTP_ACCEPT: '*/*'
> 	HTTP_ACCEPT_ENCODING: 'gzip'
> 	HTTP_CLIENT_IP: '23-253-224-235-cip.DOMAIN'
> 	HTTP_CONNECTION: 'Keep-Alive'
> 	HTTP_CONTACT: 'root at 23-253-224-235-con.DOMAIN'
> 	HTTP_FROM: 'root at 23-253-224-235-from.DOMAIN'
> 	HTTP_HOST: '23.253.224.235'
> 	HTTP_REFERER: 'https://23-253-224-235-ref.DOMAIN/ref'
> 	HTTP_TRUE_CLIENT_IP: '23-253-224-235-tcip.DOMAIN'
> 	HTTP_USER_AGENT: 'Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0 root at user-agent.DOMAIN'
> 	HTTP_X_CLIENT_IP: '23-253-224-235-xcip.DOMAIN'
> 	HTTP_X_FORWARDED_SERVER: 'k.sfconservancy.org'
> 	HTTP_X_ORIGINATING_IP: '23-253-224-235-xoip.DOMAIN'
> 	HTTP_X_REAL_IP: '23-253-224-235-xrip.DOMAIN'
> 	PATH_INFO: '/error/document'
> 	QUERY_STRING: ''
> 	REQUEST_METHOD: 'GET'
> 	SCRIPT_NAME: ''
> 	SERVER_PROTOCOL: 'HTTP/1.1'
> 	SERVER_SOFTWARE: 'waitress'
>
>
> WSGI:
> 	backlash.exc_environ: {'REQUEST_METHOD': 'GET', 'SERVER_SOFTWARE': 'waitress', 'SERVER_PROTOCOL': 'HTTP/1.1', 'SCRIPT_NAME': '', 'PATH_INFO': '/', 'QUERY_STRING': '', 'wsgi.url_scheme': 'https', 'wsgi.version': (1, 0), 'wsgi.errors': <_io.TextIOWrapper name='<stderr>' mode='w' encoding='UTF-8'>, 'wsgi.multithread': True, 'wsgi.multiprocess': False, 'wsgi.run_once': False, 'wsgi.input': <_io.BytesIO object at 0x7f60d84b69e8>, 'wsgi.file_wrapper': <class 'waitress.buffers.ReadOnlyFileBasedBuffer'>, 'wsgi.input_terminated': True, 'HTTP_HOST': '23.253.224.235', 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0 root at user-agent.DOMAIN', 'HTTP_ACCEPT': '*/*', 'HTTP_CLIENT_IP': '23-253-224-235-cip.DOMAIN', 'HTTP_CONTACT': 'root at 23-253-224-235-con.DOMAIN', 'HTTP_FROM': 'root at 23-253-224-235-from.DOMAIN', 'HTTP_REFERER': 'https://23-253-224-235-ref.DOMAIN/ref', 'HTTP_TRUE_CLIENT_IP': '23-253-224-235-tcip.DOMAIN', 'HTTP_X_CLIENT_IP': '23-253-224-235-xcip.DOMAIN', 'HTTP_X_ORIGINATING_IP': '23-253-224-235-xoip.DOMAIN', 'HTTP_X_REAL_IP': '23-253-224-235-xrip.DOMAIN', 'HTTP_ACCEPT_ENCODING': 'gzip', 'HTTP_X_FORWARDED_SERVER': 'k.sfconservancy.org', 'HTTP_CONNECTION': 'Keep-Alive', 'paste.registry': <tg.support.registry.Registry object at 0x7f60cb659710>, 'wsgi._org_proto': 'http', 'tg.locals': <tg.wsgiapp.RequestLocals object at 0x7f60d83a1eb8>, 'beaker.cache': <beaker.cache.CacheManager object at 0x7f60dc6b30b8>, 'beaker.session': {'_domain': None, '_path': '/', '_accessed_time': 1618241587.6123757, '_creation_time': 1618241587.6123757}, 'beaker.get_session': <bound method SessionApplicationWrapper._get_session of <tg.appwrappers.session.SessionApplicationWrapper object at 0x7f60dc6b3048>>, 'webob._parsed_query_vars': (GET([]), '')}
> 	backlash.exc_info: (<class 'ValueError'>, ValueError("'23-253-224-235-xrip.DOMAIN' does not appear to be an IPv4 or IPv6 address"), <traceback object at 0x7f60d862a8c8>)
> 	beaker.cache: <beaker.cache.CacheManager object at 0x7f60dc6b30b8>
> 	beaker.get_session: <bound method SessionApplicationWrapper._get_session of <tg.appwrappers.session.SessionApplicationWrapper object at 0x7f60dc6b3048>>
> 	beaker.session: {'_domain': None, '_path': '/', '_accessed_time': 1618241587.6204958, '_creation_time': 1618241587.6204958}
> 	paste.registry: <tg.support.registry.Registry object at 0x7f60cb659710>
> 	tg.locals: <tg.wsgiapp.RequestLocals object at 0x7f60d83a1eb8>
> 	tg.original_request: <Request at 0x7f60cb5e4668 GET https://23.253.224.235/>
> 	tg.original_response: <Response at 0x7f60d844d470 500 Internal Server Error>
> 	webob._parsed_query_vars: (GET([]), '')
> 	webob.is_body_seekable: True
> 	wsgi._org_proto: 'http'
> 	wsgi.errors: <_io.TextIOWrapper name='<stderr>' mode='w' encoding='UTF-8'>
> 	wsgi.file_wrapper: <class 'waitress.buffers.ReadOnlyFileBasedBuffer'>
> 	wsgi.input: <_io.BytesIO object at 0x7f60d94ac150>
> 	wsgi.input_terminated: True
> 	wsgi.multiprocess: False
> 	wsgi.multithread: True
> 	wsgi.run_once: False
> 	wsgi.url_scheme: 'https'
> 	wsgi.version: (1, 0)
>
>
> REQUEST:
> 	<Request at 0x7f60d84f63c8 GET https://23.253.224.235/error/document>
-- 
Brett Smith
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20210413/024ba1ed/attachment.html>

More information about the kallithea-general mailing list