Issue172

Issues
Show Unassigned
Show All
Search

Login




Register
Lost your login?

Help
Roundup docs

Title Traceback exposed in misformed URL
Priority bug Status chatting
Superseder Nosy List ajaksu2, facundobatista
Assigned To Topics

Created on 2007-12-06.14:23:46 by facundobatista, last changed 2009-03-08.08:49:25 by loewis.

Files
File name Uploaded Type Edit Remove
invalid_input.diff ajaksu2, 2009-02-22.22:27:03 text/x-diff
issue.htm facundobatista, 2007-12-06.14:23:45 text/html
misformed_traceback.diff ajaksu2, 2009-02-19.16:12:12 text/x-diff
Messages
msg1186 (view) Author: ajaksu2 Date: 2009-02-22.22:27:03 
Ho, it turns out that passing invalid values for fields also hits something
similar to this.

This new patch handles DB errors for values like 'type':'123123123123' and also
catches '@sort0=FRUTA'.

It's not finished. I'm creating new issues with a command-line client (will
start editing them soon) and more cases will probably be uncovered :)
msg1155 (view) Author: ajaksu2 Date: 2009-02-19.16:12:12 
Oh, well, I didn't want to patch roundup-src just yet but I don't like this one.
Patch catches KeyError, returns None and handles that downstream.
msg883 (view) Author: loewis Date: 2008-01-01.14:59:19 
I looked at it again, and there seems to be no easy way to turn it off. There is
WEB_DEBUG, and it is off, but that won't help, since this specific traceback
does not come from cgitb.html (which would be redirected to email by this flag),
but through cgitb.pt_html, and there is apparently no support for redirecting
that to email.
msg871 (view) Author: loewis Date: 2007-12-10.21:54:22 
Setting the priority to "bug" then. The complete source code, including the
complete configuration data, is available for inspection by anybody in
subversion; it's open source. Whether or not it's desirable to display this
information, I don't know. If there is a real bug somewhere, it is sure helpful
if the report can include the corresponding traceback.
msg870 (view) Author: facundobatista Date: 2007-12-10.12:34:58 
I think that showing the internal variables and their values on one side, and
the full traceback with directory names and everything on the other, could be
used by bad people to attack the system (I don't know how, but I'm not a cracker).

Even if the information exposed is not so important, what's the harm of not
showing it? Returning a 505, or a "Query bad formed" message should be enough.
Maybe disabling the "debug mode" in the server will do it and minimize the effort.

Anyway, I just wanted to point the issue to you, because maybe it was not a
desired effect. If you consciously want to leave it like this, it's ok to me
(feel free to close the bug).

Thank you!!
msg869 (view) Author: loewis Date: 2007-12-06.18:46:15 
> If you create a bad URL, a lot of internal information is exposed:

What specific, security-relevant internal information are you referring
to? I can't see any in the traceback you provided.

Regards,
Martin
msg868 (view) Author: facundobatista Date: 2007-12-06.14:23:45 
If you create a bad URL, a lot of internal information is exposed:

Try with this one...

  http://bugs.python.org/issue?@sort0=FRUTA

...and you'll see something like what I've attached.

(I put it as "critical" because it's a security issue)

Regards,

.    Facundo
History
Date User Action Args
2009-03-08 08:49:25loewissetpriority: critical -> bug
2009-02-22 22:27:04ajaksu2setfiles: + invalid_input.diff
messages: + msg1186
2009-02-19 20:13:16loewissetpriority: urgent -> critical
2009-02-19 20:13:01loewissetpriority: bug -> urgent
2009-02-19 16:12:12ajaksu2setfiles: + misformed_traceback.diff
nosy: + ajaksu2
messages: + msg1155
2008-01-01 14:59:20loewissetmessages: + msg883
2007-12-10 21:54:22loewissetpriority: critical -> bug
messages: + msg871
2007-12-10 12:34:59facundobatistasetmessages: + msg870
2007-12-06 18:46:15loewissetstatus: unread -> chatting
messages: + msg869
2007-12-06 14:23:46facundobatistacreate