Gunicorn fails with a 500, instead of a 400, when a request path is a malformed IPv6 address #1023

Closed
alex opened this Issue May 9, 2015 · 2 comments

Projects

None yet

2 participants

@alex
Contributor
alex commented May 9, 2015

Request:

~/.v/tempenv-701523535780 $ telnet localhost 8000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
PUT ///]ufd/: HTTP/1.1
HTTP/1.1 500 Internal Server Error
Connection: close
Content-Type: text/html
Content-Length: 141

<html>
  <head>
    <title>Internal Server Error</title>
  </head>
  <body>
    <h1><p>Internal Server Error</p></h1>

  </body>
</html>
Connection closed by foreign host.

Server:

(tempenv-027621611529f) ~/.v/tempenv-701523535780 $ gunicorn w:f
[2015-05-09 11:53:50 -0400] [75550] [INFO] Starting gunicorn 19.3.0
[2015-05-09 11:53:50 -0400] [75550] [INFO] Listening at: http://127.0.0.1:8000 (75550)
[2015-05-09 11:53:50 -0400] [75550] [INFO] Using worker: sync
[2015-05-09 11:53:50 -0400] [75567] [INFO] Booting worker with pid: 75567
[2015-05-09 11:54:44 -0400] [75567] [ERROR] Error handling request
Traceback (most recent call last):
  File "/Users/alex_gaynor/.virtualenvs/tempenv-027621611529f/lib/python2.7/site-packages/gunicorn/workers/sync.py", line 129, in handle
    req = six.next(parser)
  File "/Users/alex_gaynor/.virtualenvs/tempenv-027621611529f/lib/python2.7/site-packages/gunicorn/http/parser.py", line 41, in __next__
    self.mesg = self.mesg_class(self.cfg, self.unreader, self.req_count)
  File "/Users/alex_gaynor/.virtualenvs/tempenv-027621611529f/lib/python2.7/site-packages/gunicorn/http/message.py", line 153, in __init__
    super(Request, self).__init__(cfg, unreader)
  File "/Users/alex_gaynor/.virtualenvs/tempenv-027621611529f/lib/python2.7/site-packages/gunicorn/http/message.py", line 53, in __init__
    unused = self.parse(self.unreader)
  File "/Users/alex_gaynor/.virtualenvs/tempenv-027621611529f/lib/python2.7/site-packages/gunicorn/http/message.py", line 177, in parse
    self.parse_request_line(bytes_to_str(line))
  File "/Users/alex_gaynor/.virtualenvs/tempenv-027621611529f/lib/python2.7/site-packages/gunicorn/http/message.py", line 326, in parse_request_line
    parts = urlsplit(self.uri)
  File "/Users/alex_gaynor/.pyenv/versions/2.7.9/lib/python2.7/urlparse.py", line 214, in urlsplit
    raise ValueError("Invalid IPv6 URL")
ValueError: Invalid IPv6 URL

This should result in a 400 bad request, not a 500.

(This was found using the AFL fuzzer)

@berkerpeksag berkerpeksag added the Bug label May 9, 2015
@berkerpeksag berkerpeksag added a commit to berkerpeksag/gunicorn that referenced this issue May 9, 2015
@berkerpeksag berkerpeksag Raise InvalidRequestLine instead of ValueError if the line contains m…
…alicious data.

Closes #1023
b951175
@berkerpeksag
Collaborator

Thanks for the report! PR #1024 should fix this.

PUT ///]ufd/: HTTP/1.1
HTTP/1.1 400 Bad Request
Connection: close
Content-Type: text/html
Content-Length: 195

<html>
  <head>
    <title>Bad Request</title>
  </head>
  <body>
    <h1><p>Bad Request</p></h1>
    Invalid Request Line 'Invalid HTTP request line: 'PUT ///]ufd/: HTTP/1.1''
  </body>
</html>
Connection closed by foreign host.
@alex
Contributor
alex commented May 9, 2015

cool!

@berkerpeksag berkerpeksag added a commit to berkerpeksag/gunicorn that referenced this issue May 9, 2015
@tilgovi @berkerpeksag tilgovi + berkerpeksag Add test for #1023 6432d61
@berkerpeksag berkerpeksag added a commit to berkerpeksag/gunicorn that referenced this issue May 9, 2015
@tilgovi @berkerpeksag tilgovi + berkerpeksag Add test for #1023 72c8be5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment