Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle bad xmlrpc data with BadRequest #1244

Merged
merged 3 commits into from
Jan 14, 2025
Merged

Handle bad xmlrpc data with BadRequest #1244

merged 3 commits into from
Jan 14, 2025
+8 −1

Conversation

djay
Copy link
Contributor

@djay djay commented Jan 13, 2025

helps ignore spam/pentest requests

@djay djay requested a review from d-maurer January 13, 2025 05:27
@dataflake
Copy link
Member

I have observed requests like this and similar over the last few months. There are a couple other types that provoke tracebacks like this. The requested URL as stored in REQUEST['ACTUAL_URL'] on all of these requests is None?...unknown...

Traceback (innermost last):

Module ZPublisher.WSGIPublisher, line 181, in transaction_pubevents
Module ZPublisher.WSGIPublisher, line 390, in publish_module
Module ZPublisher.WSGIPublisher, line 252, in publish
Module ZPublisher.HTTPRequest, line 498, in processInputs
Module ZPublisher.HTTPRequest, line 1471, in __init__
Module multipart, line 218, in parts
Module multipart, line 212, in __iter__
Module multipart, line 285, in _iterparse
multipart.MultipartError: Stream does not contain boundary

Traceback (innermost last):

Module ZPublisher.WSGIPublisher, line 181, in transaction_pubevents
Module ZPublisher.WSGIPublisher, line 390, in publish_module
Module ZPublisher.WSGIPublisher, line 252, in publish
Module ZPublisher.HTTPRequest, line 544, in processInputs
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xad in position 0: invalid start byte

d-maurer
d-maurer approved these changes Jan 13, 2025
View reviewed changes
Copy link
Contributor

@d-maurer d-maurer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a changelog entry

@dataflake dataflake merged commit 1595981 into master Jan 14, 2025
26 checks passed
@dataflake dataflake deleted the djay-handle-badrequests branch January 14, 2025 09:50
@dataflake
Copy link
Member

I have added the change log entry and merged it myself because I want this on master before creating a branch to work on the other types of spam/pen test requests I have been seeing.

@djay
Copy link
Contributor Author

djay commented Jan 14, 2025

@dataflake there is another. A call like blah.jpg/@@images (ie missing the rest of the path). Then you get

ViewNotCallableError: __call__
  File "ZPublisher/WSGIPublisher.py", line 181, in transaction_pubevents
    yield
  File "ZPublisher/WSGIPublisher.py", line 391, in publish_module
    response = _publish(request, new_mod_info)
  File "ZPublisher/WSGIPublisher.py", line 269, in publish
    obj = request.traverse(path, validated_hook=validate_user)
  File "ZPublisher/BaseRequest.py", line 483, in traverse
    object, default_path = adapter.browserDefault(self)
  File "/app/eggs/zope.browserpage-4.4.0-py3.9.egg/zope/browserpage/metaconfigure.py", line 434, in browserDefault
    meth = getattr(self, attr)
  File "app/eggs/Zope-5.8.5-py3.9.egg/Products/Five/browser/metaconfigure.py", line 448, in __call__
    raise ViewNotCallableError('__call__')

Which I think should also be a BadRequest.
If you don't want to handle it I can open another PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@d-maurer d-maurer d-maurer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@djay @dataflake @d-maurer