Skip to content

Comments

Handle bad xmlrpc data with BadRequest#1244

Merged
dataflake merged 3 commits intomasterfrom
djay-handle-badrequests
Jan 14, 2025
Merged

Handle bad xmlrpc data with BadRequest#1244
dataflake merged 3 commits intomasterfrom
djay-handle-badrequests

Conversation

@djay
Copy link
Contributor

@djay djay commented Jan 13, 2025

helps ignore spam/pentest requests

@djay djay requested a review from d-maurer January 13, 2025 05:27
@dataflake
Copy link
Member

dataflake commented Jan 13, 2025

I have observed requests like this and similar over the last few months. There are a couple other types that provoke tracebacks like this. The requested URL as stored in REQUEST['ACTUAL_URL'] on all of these requests is None?...unknown...

Traceback (innermost last):

Module ZPublisher.WSGIPublisher, line 181, in transaction_pubevents
Module ZPublisher.WSGIPublisher, line 390, in publish_module
Module ZPublisher.WSGIPublisher, line 252, in publish
Module ZPublisher.HTTPRequest, line 498, in processInputs
Module ZPublisher.HTTPRequest, line 1471, in __init__
Module multipart, line 218, in parts
Module multipart, line 212, in __iter__
Module multipart, line 285, in _iterparse
multipart.MultipartError: Stream does not contain boundary

Traceback (innermost last):

Module ZPublisher.WSGIPublisher, line 181, in transaction_pubevents
Module ZPublisher.WSGIPublisher, line 390, in publish_module
Module ZPublisher.WSGIPublisher, line 252, in publish
Module ZPublisher.HTTPRequest, line 544, in processInputs
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xad in position 0: invalid start byte

d-maurer
d-maurer approved these changes Jan 13, 2025
View reviewed changes
Copy link
Contributor

@d-maurer d-maurer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a changelog entry

@dataflake dataflake merged commit 1595981 into master Jan 14, 2025
26 checks passed
@dataflake dataflake deleted the djay-handle-badrequests branch January 14, 2025 09:50
@dataflake
Copy link
Member

dataflake commented Jan 14, 2025

I have added the change log entry and merged it myself because I want this on master before creating a branch to work on the other types of spam/pen test requests I have been seeing.

@djay
Copy link
Contributor Author

djay commented Jan 14, 2025

@dataflake there is another. A call like blah.jpg/@@images (ie missing the rest of the path). Then you get

ViewNotCallableError: __call__
  File "ZPublisher/WSGIPublisher.py", line 181, in transaction_pubevents
    yield
  File "ZPublisher/WSGIPublisher.py", line 391, in publish_module
    response = _publish(request, new_mod_info)
  File "ZPublisher/WSGIPublisher.py", line 269, in publish
    obj = request.traverse(path, validated_hook=validate_user)
  File "ZPublisher/BaseRequest.py", line 483, in traverse
    object, default_path = adapter.browserDefault(self)
  File "/app/eggs/zope.browserpage-4.4.0-py3.9.egg/zope/browserpage/metaconfigure.py", line 434, in browserDefault
    meth = getattr(self, attr)
  File "app/eggs/Zope-5.8.5-py3.9.egg/Products/Five/browser/metaconfigure.py", line 448, in __call__
    raise ViewNotCallableError('__call__')

Which I think should also be a BadRequest.
If you don't want to handle it I can open another PR.

@dataflake
Copy link
Member

dataflake commented Jan 14, 2025

If you have time for it please do.

@djay
Copy link
Contributor Author

djay commented Jan 15, 2025

@dataflake #1246

@dataflake dataflake mentioned this pull request Jan 15, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@d-maurer d-maurer d-maurer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@djay @dataflake @d-maurer