Mercurial > p > roundup > code

diff CHANGES.txt @ 5549:901d7ba146ad

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Avoid errors from invalid Authorization headers (issue2550992). When a client sends an invalid HTTP Authorization header, this can result in an email being sent to the admin with a backtrace and the "An error has occurred" page being returned to the client, rather than it just being treated as a normal authentication failure. I've observed this happening with an "Authorization: Bearer" header (missing the argument that should come after Bearer); I don't know what client was sending that invalid header, but since it just sent HEAD requests for three random pages with the invalid header, I'm reasonably sure it was a malfunctioning bot rather than any normal browser used by a human. The problem is in the code: # try handling Basic Auth ourselves auth = self.env['HTTP_AUTHORIZATION'] scheme, challenge = auth.split(' ', 1) which results in "ValueError: need more than 1 value to unpack" in the case where the split() call returns only one value. As a malfunctioning client (quite likely probing lots of sites for some sort of vulnerability in some unrelated web service; any site accessible from the public Internet must expect to receive many such probes all the time), it both isn't useful to report to the Roundup admin (because there are such clients attempting dubious things all the time for any site, so reporting them to the admin is just noise) and in the form of that exception gives no user-friendly information to the admin either. Now subsequent code in the Authorization handling *does* catch errors from invalid arguments, so the code certainly isn't consistently trying to pass such exceptions through to the admin either: try: decoded = b2s(base64.b64decode(challenge)) except TypeError: # invalid challenge decoded = '' This fix arranges for ValueError exceptions to be similarly caught around the tuple unpacking of both the header contents and the decoded challenge for Basic auth, so that those exceptions also do not result in exception emails.
author Joseph Myers <jsm@polyomino.org.uk>
date Thu, 27 Sep 2018 11:38:05 +0000
parents fea11d05110e
children 33f8bb777659
line wrap: on
line diff
--- a/CHANGES.txt	Thu Sep 27 11:33:01 2018 +0000
+++ b/CHANGES.txt	Thu Sep 27 11:38:05 2018 +0000
@@ -49,6 +49,8 @@
   Schlatterbeck)
 - issue2550722: avoid errors from selecting "no selection" on
   multilink. (Joseph Myers)
+- issue2550992: avoid errors from invalid Authorization
+  headers. (Joseph Myers)
 
 
 2018-07-13 1.6.0
Roundup Issue Tracker: http://roundup-tracker.org/