Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

glogging._get_user() fails to catch malformed authorization header #1683

Closed
jeiting opened this issue Jan 15, 2018 · 0 comments
Closed

glogging._get_user() fails to catch malformed authorization header #1683

jeiting opened this issue Jan 15, 2018 · 0 comments
Labels

Comments

@jeiting
Copy link
Contributor

@jeiting jeiting commented Jan 15, 2018

I have a client that abuses the HTTP authorization header, passing "Basic (token)" where token is a random alphanumeric string. This causes the gunicorn logger to choke because, although it is a valid base64 string of data, it does not represent base64 encoded utf-8 string.

[2018-01-15 18:23:06 +0000] [15] [ERROR] Error handling request
Traceback (most recent call last):
  File "/app/.heroku/python/lib/python3.6/site-packages/gunicorn/glogging.py", line 269, in 
    'u': self._get_user(environ) or '-',
  File "/app/.heroku/python/lib/python3.6/site-packages/gunicorn/glogging.py", line 446, in 
    auth = auth.decode('utf-8')
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8b in position 0: invalid start byte

You can reproduce it with the following line:
base64.b64decode("ixsTtkKzIpVTncfQjbBcnoRNoDfbnaXG".encode('utf-8')).decode('utf-8')

I don't expect _get_user() to work properly in this case but it would be good for it to catch the error. Currently the code is in a try/catch but it is only handling TypeError, and binascii.Error, it should also catch and handle UnicodeDecodeError. I'm working on a PR now, should be ready shortly.

@berkerpeksag berkerpeksag added the bug :( label Jan 18, 2018
berkerpeksag added a commit that referenced this issue Jan 18, 2018
andraiaallsop added a commit to andraiaallsop/gunicorn that referenced this issue Mar 1, 2018
mjjbell pushed a commit to mjjbell/gunicorn that referenced this issue Mar 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants