Describe the bug
It seems there is a NUL byte problem in the login form. Our Nessus scanner came by and triggered an exception.
To Reproduce
This one is a bit tricky to reproduce, since you need to inject a null byte.
Not sure how to do that from the web form, but you should be able to do it directly to the backend.
Expected behavior
I would expect bad user input to serve up a 400 error and not a 500 that produces a stacktrace.
Catching the ValueError might be the solution in this case.
Additional context
An example of the error message
2019-11-16 21:49:23,476 1a8ef9e1a5eb4b69 indico.flask - ERROR errors.py:96 -- A string literal cannot contain NUL (0x00) characters.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1949, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1935, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/usr/local/lib/python2.7/dist-packages/indico/web/flask/util.py", line 84, in wrapper
return obj().process()
File "/usr/local/lib/python2.7/dist-packages/indico/web/rh.py", line 275, in process
res = self._do_process()
File "/usr/local/lib/python2.7/dist-packages/indico/web/rh.py", line 245, in _do_process
rv = self._process()
File "/usr/local/lib/python2.7/dist-packages/indico/modules/auth/controllers.py", line 89, in _process
response = multipass.handle_login_form(provider, form.data)
File "/usr/local/lib/python2.7/dist-packages/flask_multipass/core.py", line 459, in handle_login_form
response = provider.process_local_login(data)
File "/usr/local/lib/python2.7/dist-packages/flask_multipass/providers/sqlalchemy.py", line 55, in process_local_login
type(self).identifier_column == data['identifier']).first()
File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/query.py", line 3222, in first
ret = list(self[0:1])
File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/query.py", line 3012, in __getitem__
return list(res)
File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/query.py", line 3324, in __iter__
return self._execute_and_instances(context)
File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/query.py", line 3349, in _execute_and_instances
result = conn.execute(querycontext.statement, self._params)
File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 988, in execute
return meth(self, multiparams, params)
File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/sql/elements.py", line 287, in _execute_on_connection
return connection._execute_clauseelement(self, multiparams, params)
File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1107, in _execute_clauseelement
distilled_params,
File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1248, in _execute_context
e, statement, parameters, cursor, context
File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1468, in _handle_dbapi_exception
util.reraise(*exc_info)
File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1244, in _execute_context
cursor, statement, parameters, context
File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/default.py", line 550, in do_execute
cursor.execute(statement, parameters)
ValueError: A string literal cannot contain NUL (0x00) characters.
{u'data': {u'get': {},
u'headers': {'Accept': u'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*',
'Accept-Charset': u'iso-8859-1,utf-8;q=0.9,*;q=0.1',
'Accept-Language': u'en',
'Connection': u'Keep-Alive',
'Content-Length': u'171',
'Content-Type': u'application/x-www-form-urlencoded',
'Cookie': u'indico_session=***',
'Host': u'indico-02.***',
'Pragma': u'no-cache',
'User-Agent': u'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'},
u'json': None,
u'post': {'_provider': u'indico',
'csrf_token': u'00000000-0000-0000-0000-000000000000',
'identifier': u'../../../../../../../../etc/passwd\x00',
'next': u'%2F%23create-event%3Alecture',
'password': u'<8 chars hidden>'},
u'url': {}},
u'endpoint': u'auth.login',
u'id': '1a8ef9e1a5eb4b69',
u'ip': '***',
u'method': 'POST',
u'referrer': None,
u'rh': 'RHLogin',
u'time': '2019-11-16T21:49:23.477402',
u'url': u'https://SERVERNAME/login/',
u'user': None,
u'user_agent': u'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'}
The text was updated successfully, but these errors were encountered:
Describe the bug
It seems there is a NUL byte problem in the login form. Our Nessus scanner came by and triggered an exception.
To Reproduce
This one is a bit tricky to reproduce, since you need to inject a null byte.
Not sure how to do that from the web form, but you should be able to do it directly to the backend.
Expected behavior
I would expect bad user input to serve up a 400 error and not a 500 that produces a stacktrace.
Catching the
ValueError
might be the solution in this case.Additional context
An example of the error message
The text was updated successfully, but these errors were encountered: