[PATCH] fix: UnicodeDecodeError: can't decode byte 0xad
Mads Kiilerich
mads at kiilerich.com
Mon Aug 26 20:42:30 UTC 2024
Hi
Thanks for the report and the patch.
We could also catch this exception in the big try-except clause in
__call__, and we could catch the more generic UnicodeError. But that
would perhaps catch too much - also things that really are programming
errors and shouldn't give a 400 reply.
I think I would prefer to just catch this Unicode error if it happens,
rather than trying to trigger it early. Perhaps by wrapping the call of
_basic_security_checks. Do you think that would catch too much or too
little?
/Mads
On 26/08/2024 17:06, Valentin Kleibel wrote:
> Hi,
>
> we have recently noticed a lot of errors in Kallithea from probing for
> a php vulnerability [1] looking like:
> "WebApp Error: UnicodeDecodeError: 'utf-8' codec can't decode byte
> 0xad in position 0: invalid start byte"
>
> This can be reproduced with curl:
> curl https://example.com/?%AD
>
> The error stems from webob naively trying to utf-8 decode all
> %-encoded bytes in URL-parameters.
>
> In my opinion this exception should be handled and a error 400 should
> be returned.
>
> Attached you can find a small patch i created to check for this in
> kallithea/controllers/base.py:_basic_security_checks().
>
> Best Regards,
> Valentin
>
>
> [1]
> https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
>
> _______________________________________________
> kallithea-general mailing list
> kallithea-general at sfconservancy.org
> https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
More information about the kallithea-general
mailing list