Skip to content

/ gunicorn

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

glogging._get_user() fails to catch malformed authorization header #1683

Closed
jeiting opened this issue Jan 15, 2018 · 0 comments
Closed

glogging._get_user() fails to catch malformed authorization header #1683

jeiting opened this issue Jan 15, 2018 · 0 comments
Labels
bug :(

Comments

@jeiting
Copy link
Contributor

@jeiting jeiting commented Jan 15, 2018

I have a client that abuses the HTTP authorization header, passing "Basic (token)" where token is a random alphanumeric string. This causes the gunicorn logger to choke because, although it is a valid base64 string of data, it does not represent base64 encoded utf-8 string.

[2018-01-15 18:23:06 +0000] [15] [ERROR] Error handling request
Traceback (most recent call last):
  File "/app/.heroku/python/lib/python3.6/site-packages/gunicorn/glogging.py", line 269, in 
    'u': self._get_user(environ) or '-',
  File "/app/.heroku/python/lib/python3.6/site-packages/gunicorn/glogging.py", line 446, in 
    auth = auth.decode('utf-8')
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8b in position 0: invalid start byte

You can reproduce it with the following line:
base64.b64decode("ixsTtkKzIpVTncfQjbBcnoRNoDfbnaXG".encode('utf-8')).decode('utf-8')

I don't expect _get_user() to work properly in this case but it would be good for it to catch the error. Currently the code is in a try/catch but it is only handling TypeError, and binascii.Error, it should also catch and handle UnicodeDecodeError. I'm working on a PR now, should be ready shortly.
@jeiting jeiting mentioned this issue Jan 15, 2018
Merged
@berkerpeksag berkerpeksag added the bug :( label Jan 18, 2018
berkerpeksag added a commit that referenced this issue Jan 18, 2018
@jeiting @berkerpeksag
Handle UnicodeDecodeError in _get_user() (#1684)
Loading status checks…
f12ef22 
Fixes #1683
andraiaallsop added a commit to andraiaallsop/gunicorn that referenced this issue Mar 1, 2018
@jeiting @andraiaallsop
Handle UnicodeDecodeError in _get_user() (benoitc#1684)
6db33ae 
Fixes benoitc#1683
mjjbell pushed a commit to mjjbell/gunicorn that referenced this issue Mar 16, 2018
@jeiting @berkerpeksag
Handle UnicodeDecodeError in _get_user() (benoitc#1684)
b1536d2 
Fixes benoitc#1683
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug :(
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

Fix 1683 handle malformed basic auth header
2 participants
@berkerpeksag @jeiting