[PATCH] fix: UnicodeDecodeError: can't decode byte 0xad

Mads Kiilerich mads at kiilerich.com
Mon Aug 26 20:42:30 UTC 2024


Hi

Thanks for the report and the patch.

We could also catch this exception in the big try-except clause in 
__call__, and we could catch the more generic UnicodeError. But that 
would perhaps catch too much - also things that really are programming 
errors and shouldn't give a 400 reply.

I think I would prefer to just catch this Unicode error if it happens, 
rather than trying to trigger it early. Perhaps by wrapping the call of 
_basic_security_checks. Do  you think that would catch too much or too 
little?

/Mads



On 26/08/2024 17:06, Valentin Kleibel wrote:
> Hi,
>
> we have recently noticed a lot of errors in Kallithea from probing for 
> a php vulnerability [1] looking like:
> "WebApp Error: UnicodeDecodeError: 'utf-8' codec can't decode byte 
> 0xad in position 0: invalid start byte"
>
> This can be reproduced with curl:
> curl https://example.com/?%AD
>
> The error stems from webob naively trying to utf-8 decode all 
> %-encoded bytes in URL-parameters.
>
> In my opinion this exception should be handled and a error 400 should 
> be returned.
>
> Attached you can find a small patch i created to check for this in 
> kallithea/controllers/base.py:_basic_security_checks().
>
> Best Regards,
> Valentin
>
>
> [1] 
> https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
>
> _______________________________________________
> kallithea-general mailing list
> kallithea-general at sfconservancy.org
> https://lists.sfconservancy.org/mailman/listinfo/kallithea-general




More information about the kallithea-general mailing list