Uncaptured exception instead of 400 when receiving non-ascii bytes in request url #64
I have waitress installed on my production server and it generates strange exceptions. Like this:
I found that these exceptions generated when some stupid bot sends request with raw bytes \xd0 in http header in first line. Here is a line from nginx log (nginx proxy queries to waitress):
As you can see, here the client sent both urlescaped and raw bytes in GET. According to RFC, url must by escaped. But nginx doesn't care.
I also wrote simple POC to demonstrate the issue:
def send_xdo(host, port=80): s = socket.create_connection((host, port)) req = b"GET /\xd0 HTTP/1.1\n\n" s.send(req) s.recv(4096) s.close() send_xdo('localhost', 6543)
I think Waitress should be able to handle this exception. It will be better just send 400 Bad Request to the client. Take a look at the rfc - http://tools.ietf.org/html/rfc2616#section-5.1.2
The text was updated successfully, but these errors were encountered: