[PATCH] fix: UnicodeDecodeError: can't decode byte 0xad
Valentin Kleibel
valentin at vrvis.at
Mon Aug 26 15:06:15 UTC 2024
Hi,
we have recently noticed a lot of errors in Kallithea from probing for a
php vulnerability [1] looking like:
"WebApp Error: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xad
in position 0: invalid start byte"
This can be reproduced with curl:
curl https://example.com/?%AD
The error stems from webob naively trying to utf-8 decode all %-encoded
bytes in URL-parameters.
In my opinion this exception should be handled and a error 400 should be
returned.
Attached you can find a small patch i created to check for this in
kallithea/controllers/base.py:_basic_security_checks().
Best Regards,
Valentin
[1]
https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-UnicodeDecodeError.diff
Type: text/x-patch
Size: 820 bytes
Desc: not available
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20240826/6133b17c/attachment.bin>
More information about the kallithea-general
mailing list