Project

General

Profile

Bug #33085

crash sur signature non ascii

Added by Thomas Noël 3 months ago. Updated 3 months ago.

Status:
Solution déployée
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
14 May 2019
Due date:
% Done:

0%

Patch proposed:
Yes
Planning:
No

Description

Juste un soucis d'affichage qu'on pourrait résoudre avec un %r je pense:

Subject: Quixote Traceback (UnicodeDecodeError: 'ascii' codec can't decode byte 0xef in position 37: ordinal not in range(128))

Exception:
  type = '<type 'exceptions.UnicodeDecodeError'>', value = ''ascii' codec can't decode byte 0xef in position 37: ordinal not in range(128)'

Stack trace (most recent call first):
  File "/usr/lib/python2.7/dist-packages/django/core/signing.py", line 181, in unsign
   179         if constant_time_compare(sig, self.signature(value)):
   180             return force_text(value)
>  181         raise BadSignature('Signature "%s" does not match' % sig)
   182
   183

  locals:
     self = <django.core.signing.Signer object at 0x7fc423fe3250>
     sig = 'eKEi4HmLNen8NxFydFYqYgp9VWgt3bjb1hlgu\xef\xbf\xbd\xef\xbf\xbdh5qczg9s7q'
     signed_value = '7a591c41e660a7ea:eKEi4HmLNen8NxFydFYqYgp9VWgt3bjb1hlgu\xef\xbf\xbd\xef\xbf\xbdh5qczg9s7q'
     value = '7a591c41e660a7ea'

0001-sessions-protect-against-non-ascii-signatures-33085.patch View (917 Bytes) Frédéric Péters, 21 May 2019 12:31 PM

Associated revisions

Revision 0bd83cf7 (diff)
Added by Frédéric Péters 3 months ago

sessions: protect against non-ascii signatures (#33085)

History

#1 Updated by Thomas Noël 3 months ago

Je viens de voir que c'est sur django/core/signing.py que ça se passe, donc il faut agir en amont.

Exception:
  type = '<type 'exceptions.UnicodeDecodeError'>', value = ''ascii' codec can't decode byte 0xef in position 37: ordinal not in range(128)'

Stack trace (most recent call first):
  File "/usr/lib/python2.7/dist-packages/django/core/signing.py", line 181, in unsign
   179         if constant_time_compare(sig, self.signature(value)):
   180             return force_text(value)
>  181         raise BadSignature('Signature "%s" does not match' % sig)
   182
   183

  locals:
     self = <django.core.signing.Signer object at 0x7eff97f58c10>
     sig = 'SDuvZS7k8XmYV2vmdBeHCOyTAPgiscph3n0dv\xef\xbf\xbd\xef\xbf\xbdx5xguyqxnk'
     signed_value = 'a91158022d377c3c:SDuvZS7k8XmYV2vmdBeHCOyTAPgiscph3n0dv\xef\xbf\xbd\xef\xbf\xbdx5xguyqxnk'
     value = 'a91158022d377c3c'

  File "/usr/lib/python2.7/dist-packages/wcs/qommon/sessions.py", line 305, in get_tempfile
   303             value = signer.unsign(token)
   304         except BadSignature:
>  305             return None
   306         dirname = os.path.join(get_publisher().app_dir, 'tempfiles')
   307         filename = os.path.join(dirname, value + '.json')

  locals:
     self = <Session at 7eff97c8e0d0: 5ce1d48be903a889>
     signer = <django.core.signing.Signer object at 0x7eff97f58c10>
     token = 'a91158022d377c3c:SDuvZS7k8XmYV2vmdBeHCOyTAPgiscph3n0dv\xef\xbf\xbd\xef\xbf\xbdx5xguyqxnk'

  File "/usr/lib/python2.7/dist-packages/wcs/qommon/sessions.py", line 321, in get_tempfile_content
   319
   320     def get_tempfile_content(self, token):
>  321         temp = self.get_tempfile(token)
   322         if not temp:
   323             return temp

Lors du signer.unsign(token) il faudrait vérifier que token est bien en ascii... enfin je pense.

#2 Updated by Frédéric Péters 3 months ago

Sans finesse.

#3 Updated by Thomas Noël 3 months ago

  • Status changed from Solution proposée to Solution validée

#4 Updated by Frédéric Péters 3 months ago

  • Status changed from Solution validée to Résolu (à déployer)
commit 0bd83cf752781936448c36beb2b0887705e1c139
Author: Frédéric Péters <fpeters@entrouvert.com>
Date:   Tue May 21 12:31:32 2019 +0200

    sessions: protect against non-ascii signatures (#33085)

#5 Updated by Frédéric Péters 3 months ago

  • Status changed from Résolu (à déployer) to Solution déployée

Also available in: Atom PDF