glogging._get_user() fails to catch malformed authorization header #1683
Labels
Comments
berkerpeksag
added a commit
that referenced
this issue
Jan 18, 2018
andraiaallsop
added a commit
to andraiaallsop/gunicorn
that referenced
this issue
Mar 1, 2018
mjjbell
pushed a commit
to mjjbell/gunicorn
that referenced
this issue
Mar 16, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have a client that abuses the HTTP authorization header, passing "Basic (token)" where token is a random alphanumeric string. This causes the gunicorn logger to choke because, although it is a valid base64 string of data, it does not represent base64 encoded utf-8 string.
You can reproduce it with the following line:
base64.b64decode("ixsTtkKzIpVTncfQjbBcnoRNoDfbnaXG".encode('utf-8')).decode('utf-8')
I don't expect _get_user() to work properly in this case but it would be good for it to catch the error. Currently the code is in a try/catch but it is only handling TypeError, and binascii.Error, it should also catch and handle UnicodeDecodeError. I'm working on a PR now, should be ready shortly.
The text was updated successfully, but these errors were encountered: