Handle bad xmlrpc data with BadRequest (#1244)

djay · pre-commit-ci-lite[bot] · dataflake · web-flow · commit 1595981bb0ad · 2025-01-14T09:50:29.000Z
* Handle bad xmlrpc data with BadRequest

helps ignore spam/pentest requests

* Apply pre-commit code formatting

* - add change log entry

---------

Co-authored-by: pre-commit-ci-lite[bot] &lt;117423508+pre-commit-ci-lite[bot]@users.noreply.github.com&gt;
Co-authored-by: Jens Vagelpohl &lt;jens@plyp.com&gt;
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -10,6 +10,8 @@ https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst
 5.11.2 (unreleased)
 -------------------
 
+- Fix error messages from spam/pen test requests.
+
 - Fix a ``ResourceWarning`` emitted when uploading large files.
   (`#1242 <https://github.com/zopefoundation/Zope/issues/1242>`_)
 
@@ -24,6 +26,7 @@ https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst
 
 - Update to ``zope.interface = 7.2``.
 
+
 5.11.1 (2024-11-03)
 -------------------
 
diff --git a/src/ZPublisher/HTTPRequest.py b/src/ZPublisher/HTTPRequest.py
@@ -24,6 +24,7 @@
 from urllib.parse import parse_qsl
 from urllib.parse import unquote
 from urllib.parse import urlparse
+from xmlrpc.client import ResponseError
 
 from AccessControl.tainted import should_be_tainted as base_should_be_tainted
 from AccessControl.tainted import taint_string
@@ -872,7 +873,10 @@ def processInputs(
             if meth is not None:
                 raise BadRequest('method directive not supported for '
                                  'xmlrpc request')
-            meth, self.args = xmlrpc.parse_input(fs.value)
+            try:
+                meth, self.args = xmlrpc.parse_input(fs.value)
+            except ResponseError as e:
+                raise BadRequest(e)
             response = xmlrpc.response(response)
             other['RESPONSE'] = self.response = response
             self.maybe_webdav_client = 0
