Login form does not handle NULs

[mkrogh]

Describe the bug
It seems there is a NUL byte problem in the login form. Our Nessus scanner came by and triggered an exception.

To Reproduce
This one is a bit tricky to reproduce, since you need to inject a null byte.
Not sure how to do that from the web form, but you should be able to do it directly to the backend.

Expected behavior
I would expect bad user input to serve up a 400 error and not a 500 that produces a stacktrace.

Catching the ValueError might be the solution in this case.

Additional context
An example of the error message

2019-11-16 21:49:23,476  1a8ef9e1a5eb4b69  indico.flask - ERROR errors.py:96 -- A string literal cannot contain NUL (0x00) characters.

Traceback (most recent call last):
 File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1949, in full_dispatch_request
   rv = self.dispatch_request()
 File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1935, in dispatch_request
   return self.view_functions[rule.endpoint](**req.view_args)
 File "/usr/local/lib/python2.7/dist-packages/indico/web/flask/util.py", line 84, in wrapper
   return obj().process()
 File "/usr/local/lib/python2.7/dist-packages/indico/web/rh.py", line 275, in process
   res = self._do_process()
 File "/usr/local/lib/python2.7/dist-packages/indico/web/rh.py", line 245, in _do_process
   rv = self._process()
 File "/usr/local/lib/python2.7/dist-packages/indico/modules/auth/controllers.py", line 89, in _process
   response = multipass.handle_login_form(provider, form.data)
 File "/usr/local/lib/python2.7/dist-packages/flask_multipass/core.py", line 459, in handle_login_form
   response = provider.process_local_login(data)
 File "/usr/local/lib/python2.7/dist-packages/flask_multipass/providers/sqlalchemy.py", line 55, in process_local_login
   type(self).identifier_column == data['identifier']).first()
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/query.py", line 3222, in first
   ret = list(self[0:1])
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/query.py", line 3012, in __getitem__
   return list(res)
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/query.py", line 3324, in __iter__
   return self._execute_and_instances(context)
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/query.py", line 3349, in _execute_and_instances
   result = conn.execute(querycontext.statement, self._params)
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 988, in execute
   return meth(self, multiparams, params)
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/sql/elements.py", line 287, in _execute_on_connection
   return connection._execute_clauseelement(self, multiparams, params)
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1107, in _execute_clauseelement
   distilled_params,
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1248, in _execute_context
   e, statement, parameters, cursor, context
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1468, in _handle_dbapi_exception
   util.reraise(*exc_info)
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1244, in _execute_context
   cursor, statement, parameters, context
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/default.py", line 550, in do_execute
   cursor.execute(statement, parameters)
ValueError: A string literal cannot contain NUL (0x00) characters.

{u'data': {u'get': {},
          u'headers': {'Accept': u'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*',
                       'Accept-Charset': u'iso-8859-1,utf-8;q=0.9,*;q=0.1',
                       'Accept-Language': u'en',
                       'Connection': u'Keep-Alive',
                       'Content-Length': u'171',
                       'Content-Type': u'application/x-www-form-urlencoded',
                       'Cookie': u'indico_session=***',
                       'Host': u'indico-02.***',
                       'Pragma': u'no-cache',
                       'User-Agent': u'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'},
          u'json': None,
          u'post': {'_provider': u'indico',
                    'csrf_token': u'00000000-0000-0000-0000-000000000000',
                    'identifier': u'../../../../../../../../etc/passwd\x00',
                    'next': u'%2F%23create-event%3Alecture',
                    'password': u'<8 chars hidden>'},
          u'url': {}},
u'endpoint': u'auth.login',
u'id': '1a8ef9e1a5eb4b69',
u'ip': '***',
u'method': 'POST',
u'referrer': None,
u'rh': 'RHLogin',
u'time': '2019-11-16T21:49:23.477402',
u'url': u'https://SERVERNAME/login/',
u'user': None,
u'user_agent': u'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'}

[ThiefMaster]

fyi, those errors are perfectly safe to ignore and I'd recommend you to disable error email notifications in the logging config

[ThiefMaster]

0323765 supposedly fixed this, but only applies it to query string args and not POST data. we'll fix that.