/gunicorn

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

glogging._get_user() fails to catch malformed authorization header #1683

Closed
jeiting opened this Issue Jan 15, 2018 · 0 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
No milestone
2 participants
@jeiting @berkerpeksag
@jeiting
Contributor

jeiting commented Jan 15, 2018

I have a client that abuses the HTTP authorization header, passing "Basic (token)" where token is a random alphanumeric string. This causes the gunicorn logger to choke because, although it is a valid base64 string of data, it does not represent base64 encoded utf-8 string.

[2018-01-15 18:23:06 +0000] [15] [ERROR] Error handling request
Traceback (most recent call last):
  File "/app/.heroku/python/lib/python3.6/site-packages/gunicorn/glogging.py", line 269, in 
    'u': self._get_user(environ) or '-',
  File "/app/.heroku/python/lib/python3.6/site-packages/gunicorn/glogging.py", line 446, in 
    auth = auth.decode('utf-8')
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8b in position 0: invalid start byte

You can reproduce it with the following line:
base64.b64decode("ixsTtkKzIpVTncfQjbBcnoRNoDfbnaXG".encode('utf-8')).decode('utf-8')

I don't expect _get_user() to work properly in this case but it would be good for it to catch the error. Currently the code is in a try/catch but it is only handling TypeError, and binascii.Error, it should also catch and handle UnicodeDecodeError. I'm working on a PR now, should be ready shortly.

@jeiting jeiting referenced this issue Jan 15, 2018

Merged

Fix 1683 handle malformed basic auth header #1684

@berkerpeksag berkerpeksag added the bug :( label Jan 18, 2018

@berkerpeksag berkerpeksag closed this in #1684 Jan 18, 2018

berkerpeksag added a commit that referenced this issue Jan 18, 2018

@jeiting @berkerpeksag
Handle UnicodeDecodeError in _get_user() (#1684) 
Fixes #1683
f12ef22

andraiaallsop added a commit to andraiaallsop/gunicorn that referenced this issue Mar 1, 2018

@jeiting @andraiaallsop
Handle UnicodeDecodeError in _get_user() (benoitc#1684) 
Fixes benoitc#1683
6db33ae

fofanov pushed a commit to fofanov/gunicorn that referenced this issue Mar 16, 2018

@jeiting @berkerpeksag
Handle UnicodeDecodeError in _get_user() (benoitc#1684) 
Fixes benoitc#1683
b1536d2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment