Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Login form does not handle NULs #4159

mkrogh opened this issue Nov 18, 2019 · 2 comments

Login form does not handle NULs #4159

mkrogh opened this issue Nov 18, 2019 · 2 comments


Copy link

mkrogh commented Nov 18, 2019

Describe the bug
It seems there is a NUL byte problem in the login form. Our Nessus scanner came by and triggered an exception.

To Reproduce
This one is a bit tricky to reproduce, since you need to inject a null byte.
Not sure how to do that from the web form, but you should be able to do it directly to the backend.

Expected behavior
I would expect bad user input to serve up a 400 error and not a 500 that produces a stacktrace.

Catching the ValueError might be the solution in this case.

Additional context
An example of the error message

2019-11-16 21:49:23,476  1a8ef9e1a5eb4b69  indico.flask - ERROR -- A string literal cannot contain NUL (0x00) characters.

Traceback (most recent call last):
 File "/usr/local/lib/python2.7/dist-packages/flask/", line 1949, in full_dispatch_request
   rv = self.dispatch_request()
 File "/usr/local/lib/python2.7/dist-packages/flask/", line 1935, in dispatch_request
   return self.view_functions[rule.endpoint](**req.view_args)
 File "/usr/local/lib/python2.7/dist-packages/indico/web/flask/", line 84, in wrapper
   return obj().process()
 File "/usr/local/lib/python2.7/dist-packages/indico/web/", line 275, in process
   res = self._do_process()
 File "/usr/local/lib/python2.7/dist-packages/indico/web/", line 245, in _do_process
   rv = self._process()
 File "/usr/local/lib/python2.7/dist-packages/indico/modules/auth/", line 89, in _process
   response = multipass.handle_login_form(provider,
 File "/usr/local/lib/python2.7/dist-packages/flask_multipass/", line 459, in handle_login_form
   response = provider.process_local_login(data)
 File "/usr/local/lib/python2.7/dist-packages/flask_multipass/providers/", line 55, in process_local_login
   type(self).identifier_column == data['identifier']).first()
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/", line 3222, in first
   ret = list(self[0:1])
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/", line 3012, in __getitem__
   return list(res)
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/", line 3324, in __iter__
   return self._execute_and_instances(context)
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/", line 3349, in _execute_and_instances
   result = conn.execute(querycontext.statement, self._params)
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/", line 988, in execute
   return meth(self, multiparams, params)
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/sql/", line 287, in _execute_on_connection
   return connection._execute_clauseelement(self, multiparams, params)
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/", line 1107, in _execute_clauseelement
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/", line 1248, in _execute_context
   e, statement, parameters, cursor, context
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/", line 1468, in _handle_dbapi_exception
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/", line 1244, in _execute_context
   cursor, statement, parameters, context
 File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/", line 550, in do_execute
   cursor.execute(statement, parameters)
ValueError: A string literal cannot contain NUL (0x00) characters.

{u'data': {u'get': {},
          u'headers': {'Accept': u'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*',
                       'Accept-Charset': u'iso-8859-1,utf-8;q=0.9,*;q=0.1',
                       'Accept-Language': u'en',
                       'Connection': u'Keep-Alive',
                       'Content-Length': u'171',
                       'Content-Type': u'application/x-www-form-urlencoded',
                       'Cookie': u'indico_session=***',
                       'Host': u'indico-02.***',
                       'Pragma': u'no-cache',
                       'User-Agent': u'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'},
          u'json': None,
          u'post': {'_provider': u'indico',
                    'csrf_token': u'00000000-0000-0000-0000-000000000000',
                    'identifier': u'../../../../../../../../etc/passwd\x00',
                    'next': u'%2F%23create-event%3Alecture',
                    'password': u'<8 chars hidden>'},
          u'url': {}},
u'endpoint': u'auth.login',
u'id': '1a8ef9e1a5eb4b69',
u'ip': '***',
u'method': 'POST',
u'referrer': None,
u'rh': 'RHLogin',
u'time': '2019-11-16T21:49:23.477402',
u'url': u'https://SERVERNAME/login/',
u'user': None,
u'user_agent': u'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'}
Copy link

fyi, those errors are perfectly safe to ignore and I'd recommend you to disable error email notifications in the logging config

Copy link

0323765 supposedly fixed this, but only applies it to query string args and not POST data. we'll fix that.

@ThiefMaster ThiefMaster added this to the v2.2 milestone Nov 18, 2019
@ThiefMaster ThiefMaster changed the title Login form does not handle Login form does not handle NULs Nov 18, 2019
@ThiefMaster ThiefMaster self-assigned this Nov 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

No branches or pull requests

2 participants