Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

glogging._get_user() fails to catch malformed authorization header #1683

Closed
jeiting opened this issue Jan 15, 2018 · 0 comments · Fixed by #1684
Closed

glogging._get_user() fails to catch malformed authorization header #1683

jeiting opened this issue Jan 15, 2018 · 0 comments · Fixed by #1684
Labels
bug :(

Comments

@jeiting
Copy link
Contributor

jeiting commented Jan 15, 2018

I have a client that abuses the HTTP authorization header, passing "Basic (token)" where token is a random alphanumeric string. This causes the gunicorn logger to choke because, although it is a valid base64 string of data, it does not represent base64 encoded utf-8 string.

[2018-01-15 18:23:06 +0000] [15] [ERROR] Error handling request
Traceback (most recent call last):
  File "/app/.heroku/python/lib/python3.6/site-packages/gunicorn/glogging.py", line 269, in 
    'u': self._get_user(environ) or '-',
  File "/app/.heroku/python/lib/python3.6/site-packages/gunicorn/glogging.py", line 446, in 
    auth = auth.decode('utf-8')
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8b in position 0: invalid start byte

You can reproduce it with the following line:
base64.b64decode("ixsTtkKzIpVTncfQjbBcnoRNoDfbnaXG".encode('utf-8')).decode('utf-8')

I don't expect _get_user() to work properly in this case but it would be good for it to catch the error. Currently the code is in a try/catch but it is only handling TypeError, and binascii.Error, it should also catch and handle UnicodeDecodeError. I'm working on a PR now, should be ready shortly.
@jeiting jeiting mentioned this issue Jan 15, 2018
Merged
berkerpeksag pushed a commit that referenced this issue Jan 18, 2018
@jeiting @berkerpeksag
Handle UnicodeDecodeError in _get_user() (#1684)

Verified

This commit was signed with the committer’s verified signature.
chemicL Dariusz Jędrzejczyk
GPG key ID: FD786A4E2335C448
Verified
Learn about vigilant mode
f12ef22 
Fixes #1683
andraiaallsop pushed a commit to andraiaallsop/gunicorn that referenced this issue Mar 1, 2018
@jeiting @andraiaallsop
Handle UnicodeDecodeError in _get_user() (benoitc#1684)

Verified

This commit was signed with the committer’s verified signature.
chemicL Dariusz Jędrzejczyk
GPG key ID: FD786A4E2335C448
Verified
Learn about vigilant mode
6db33ae 
Fixes benoitc#1683
mjjbell pushed a commit to mjjbell/gunicorn that referenced this issue Mar 16, 2018
@jeiting @berkerpeksag
Handle UnicodeDecodeError in _get_user() (benoitc#1684)

Verified

This commit was signed with the committer’s verified signature.
chemicL Dariusz Jędrzejczyk
GPG key ID: FD786A4E2335C448
Verified
Learn about vigilant mode
b1536d2 
Fixes benoitc#1683
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug :(
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix 1683 handle malformed basic auth header
2 participants
@berkerpeksag @jeiting