Kallithea crashes when "IP address" headers have hostnames
Mads Kiilerich
mads at kiilerich.com
Sat Apr 17 20:03:13 UTC 2021
On 4/13/21 4:29 PM, Brett Smith wrote:
>
> Hi Kallithea team,
>
> I got this crash report I thought I should pass on. The short version:
> some IP address/Internet mapping service visited us, and provided a
> full DNS hostname in the various IP address headers. The code crashes
> because it assumes any string in these headers /must/ be an IP
> address, without checking.
>
> I'm personally not particularly worried about this bug, since this
> obviously isn't a "real" visitor and I'm sure Kallithea isn't the only
> software out there making this assumption. But I also know how
> sometimes one bug can lead to another, so I wanted to let you know at
> least. 23.253.224.235 is the IPv4 address of our Kallithea server, so
> the way it appears in the header values here is part of how this
> mapping project works. Let me know if there's any other information I
> can provide that's helpful.
>
Thanks for the report. We will improve the handling of invalid client
addresses.
But I'm surprised your webserver (waitress?) according to the
environment dump apparently didn't set REMOTE_ADDR from the actual TCP
connection in the environment.
The CGI spec (rfc 3875) says: "The REMOTE_ADDR variable MUST be set to
the network address of the client sending the request to the server".
The WSGI spec (pep 333) says: "A server or gateway **should** attempt to
provide as many other CGI variables as are applicable".
REMOTE_ADDR might be less relevant if it just points at a front-end
server, but I would expect it to be set anyway.
/Mads
> On 4/12/21 11:33 AM, Conservancy Kallithea wrote:
>> TRACEBACK:
>> Traceback (most recent call last):
>> File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py", line 82, in __call__
>> response = self.wrapped_dispatch(controller, environ, context)
>> File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/errorpage.py", line 104, in __call__
>> resp = self.next_handler(controller, environ, context)
>> File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/caching.py", line 54, in __call__
>> return self.next_handler(controller, environ, context)
>> File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/session.py", line 71, in __call__
>> response = self.next_handler(controller, environ, context)
>> File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/appwrappers/i18n.py", line 71, in __call__
>> return self.next_handler(controller, environ, context)
>> File "/usr/local/src/kallithea/lib/python3.7/site-packages/tg/wsgiapp.py", line 243, in _dispatch
>> return controller(environ, context)
>> File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py", line 511, in __call__
>> ip_addr=ip_addr,
>> File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/base.py", line 458, in _determine_auth_user
>> authuser = AuthUser.make(dbuser=default_user, ip_addr=ip_addr)
>> File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py", line 391, in make
>> if not check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
>> File "/usr/local/src/kallithea/lib/python3.7/site-packages/kallithea/lib/auth.py", line 806, in check_ip_access
>> if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):
>> File "/usr/local/src/kallithea/lib/python3.7/site-packages/ipaddr.py", line 83, in IPAddress
>> address)
>> ValueError: '23-253-224-235-xrip.DOMAIN' does not appear to be an IPv4 or IPv6 address
>>
>>
>> ENVIRON:
>> CONTENT_LENGTH: '0'
>> HTTP_ACCEPT: '*/*'
>> HTTP_ACCEPT_ENCODING: 'gzip'
>> HTTP_CLIENT_IP: '23-253-224-235-cip.DOMAIN'
>> HTTP_CONNECTION: 'Keep-Alive'
>> HTTP_CONTACT: 'root at 23-253-224-235-con.DOMAIN'
>> HTTP_FROM: 'root at 23-253-224-235-from.DOMAIN'
>> HTTP_HOST: '23.253.224.235'
>> HTTP_REFERER: 'https://23-253-224-235-ref.DOMAIN/ref'
>> HTTP_TRUE_CLIENT_IP: '23-253-224-235-tcip.DOMAIN'
>> HTTP_USER_AGENT: 'Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0root at user-agent.DOMAIN'
>> HTTP_X_CLIENT_IP: '23-253-224-235-xcip.DOMAIN'
>> HTTP_X_FORWARDED_SERVER: 'k.sfconservancy.org'
>> HTTP_X_ORIGINATING_IP: '23-253-224-235-xoip.DOMAIN'
>> HTTP_X_REAL_IP: '23-253-224-235-xrip.DOMAIN'
>> PATH_INFO: '/error/document'
>> QUERY_STRING: ''
>> REQUEST_METHOD: 'GET'
>> SCRIPT_NAME: ''
>> SERVER_PROTOCOL: 'HTTP/1.1'
>> SERVER_SOFTWARE: 'waitress'
>>
>>
>> WSGI:
>> backlash.exc_environ: {'REQUEST_METHOD': 'GET', 'SERVER_SOFTWARE': 'waitress', 'SERVER_PROTOCOL': 'HTTP/1.1', 'SCRIPT_NAME': '', 'PATH_INFO': '/', 'QUERY_STRING': '', 'wsgi.url_scheme': 'https', 'wsgi.version': (1, 0), 'wsgi.errors': <_io.TextIOWrapper name='<stderr>' mode='w' encoding='UTF-8'>, 'wsgi.multithread': True, 'wsgi.multiprocess': False, 'wsgi.run_once': False, 'wsgi.input': <_io.BytesIO object at 0x7f60d84b69e8>, 'wsgi.file_wrapper': <class 'waitress.buffers.ReadOnlyFileBasedBuffer'>, 'wsgi.input_terminated': True, 'HTTP_HOST': '23.253.224.235', 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0root at user-agent.DOMAIN', 'HTTP_ACCEPT': '*/*', 'HTTP_CLIENT_IP': '23-253-224-235-cip.DOMAIN', 'HTTP_CONTACT':'root at 23-253-224-235-con.DOMAIN', 'HTTP_FROM':'root at 23-253-224-235-from.DOMAIN', 'HTTP_REFERER':'https://23-253-224-235-ref.DOMAIN/ref', 'HTTP_TRUE_CLIENT_IP': '23-253-224-235-tcip.DOMAIN', 'HTTP_X_CLIENT_IP': '23-253-224-235-xcip.DOMAIN', 'HTTP_X_ORIGINATING_IP': '23-253-224-235-xoip.DOMAIN', 'HTTP_X_REAL_IP': '23-253-224-235-xrip.DOMAIN', 'HTTP_ACCEPT_ENCODING': 'gzip', 'HTTP_X_FORWARDED_SERVER': 'k.sfconservancy.org', 'HTTP_CONNECTION': 'Keep-Alive', 'paste.registry': <tg.support.registry.Registry object at 0x7f60cb659710>, 'wsgi._org_proto': 'http', 'tg.locals': <tg.wsgiapp.RequestLocals object at 0x7f60d83a1eb8>, 'beaker.cache': <beaker.cache.CacheManager object at 0x7f60dc6b30b8>, 'beaker.session': {'_domain': None, '_path': '/', '_accessed_time': 1618241587.6123757, '_creation_time': 1618241587.6123757}, 'beaker.get_session': <bound method SessionApplicationWrapper._get_session of <tg.appwrappers.session.SessionApplicationWrapper object at 0x7f60dc6b3048>>, 'webob._parsed_query_vars': (GET([]), '')}
>> backlash.exc_info: (<class 'ValueError'>, ValueError("'23-253-224-235-xrip.DOMAIN' does not appear to be an IPv4 or IPv6 address"), <traceback object at 0x7f60d862a8c8>)
>> beaker.cache: <beaker.cache.CacheManager object at 0x7f60dc6b30b8>
>> beaker.get_session: <bound method SessionApplicationWrapper._get_session of <tg.appwrappers.session.SessionApplicationWrapper object at 0x7f60dc6b3048>>
>> beaker.session: {'_domain': None, '_path': '/', '_accessed_time': 1618241587.6204958, '_creation_time': 1618241587.6204958}
>> paste.registry: <tg.support.registry.Registry object at 0x7f60cb659710>
>> tg.locals: <tg.wsgiapp.RequestLocals object at 0x7f60d83a1eb8>
>> tg.original_request: <Request at 0x7f60cb5e4668 GEThttps://23.253.224.235/>
>> tg.original_response: <Response at 0x7f60d844d470 500 Internal Server Error>
>> webob._parsed_query_vars: (GET([]), '')
>> webob.is_body_seekable: True
>> wsgi._org_proto: 'http'
>> wsgi.errors: <_io.TextIOWrapper name='<stderr>' mode='w' encoding='UTF-8'>
>> wsgi.file_wrapper: <class 'waitress.buffers.ReadOnlyFileBasedBuffer'>
>> wsgi.input: <_io.BytesIO object at 0x7f60d94ac150>
>> wsgi.input_terminated: True
>> wsgi.multiprocess: False
>> wsgi.multithread: True
>> wsgi.run_once: False
>> wsgi.url_scheme: 'https'
>> wsgi.version: (1, 0)
>>
>>
>> REQUEST:
>> <Request at 0x7f60d84f63c8 GEThttps://23.253.224.235/error/document>
> --
> Brett Smith
>
> _______________________________________________
> kallithea-general mailing list
> kallithea-general at sfconservancy.org
> https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20210417/9be9e214/attachment.html>
More information about the kallithea-general
mailing list