Skip to content

Handle utf8 decoding errors #1076

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tsnoam merged 3 commits into from
Apr 17, 2018
Merged

Handle utf8 decoding errors #1076

tsnoam merged 3 commits into from
Apr 17, 2018

Conversation

@jh0ker
Copy link
Member

@jh0ker jh0ker commented Apr 15, 2018

As pointed out in #1072, malicious clients can send arbitrary callback_data in callback queries, even bytes that can't be decoded using the utf-8 codec. This would bring the whole bot to a halt.

nmlorg
nmlorg reviewed Apr 16, 2018
View reviewed changes
telegram/utils/request.py Outdated
data = json.loads(decoded_s)
except UnicodeDecodeError:
logging.getLogger(__name__).debug(
'Logging raw invalid UTF-8 response:\n%s', str(json_data))
Copy link
Contributor

@nmlorg nmlorg Apr 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Python 2 str is the byte array type, so str(json_data) is a noop (the bogus UTF-8 will enter the logging stream). I didn't realize str(b'...') was the same as repr(b'...') in Python 3 until I just tried it, is that what you were intending? What about just ('Logging raw invalid UTF-8 response:\n%r', json_data)?

Copy link
Member Author

@jh0ker jh0ker Apr 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's better :)

@tsnoam tsnoam merged commit b77b329 into master Apr 17, 2018
@jsmnbom jsmnbom deleted the malicious-callback-data branch September 1, 2018 17:47
@github-actions github-actions bot locked and limited conversation to collaborators Aug 21, 2020
@Bibo-Joshi Bibo-Joshi added 🔌 bug pr description: bug and removed bug 🐛 labels Nov 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@tsnoam tsnoam tsnoam approved these changes

+1 more reviewer

@nmlorg nmlorg nmlorg left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

🔌 bug pr description: bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jh0ker @tsnoam @nmlorg @Bibo-Joshi