Ticket #802 (defect)
Opened 6 months ago
Last modified 3 months ago
parseRequestLine: Some URIs cause unrecoverable error
Status: closed (fixed)
| Reported by: | timochka@gmail.com | Assigned to: | rdelon |
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | CherryPy code | Keywords: | |
| Cc: |
After starting a HelloWorld? application on port 8080 requests to URLs like http://localhost:8080/%0Dx or http://localhost:8080/%0Ax cause unrecoverable server error because reqest line splits to more than three parts.
The application:
import cherrypy
class HelloWorld(object):
def index(self):
return "Hello World!"
index.exposed = True
cherrypy.root = HelloWorld()
cherrypy.server.start()
The output:
26/Mar/2008:18:23:43 ENGINE INFO <Ctrl-C> hit: shutting down autoreloader
26/Mar/2008:18:23:43 HTTP INFO HTTP Server shut down
26/Mar/2008:18:23:43 ENGINE INFO CherryPy shut down
26/Mar/2008:18:23:38 CONFIG INFO Server parameters:
26/Mar/2008:18:23:38 CONFIG INFO server.environment: development
26/Mar/2008:18:23:38 CONFIG INFO server.log_to_screen: True
26/Mar/2008:18:23:38 CONFIG INFO server.log_file:
26/Mar/2008:18:23:38 CONFIG INFO server.log_tracebacks: True
26/Mar/2008:18:23:38 CONFIG INFO server.log_request_headers: True
26/Mar/2008:18:23:38 CONFIG INFO server.protocol_version: HTTP/1.0
26/Mar/2008:18:23:38 CONFIG INFO server.socket_host:
26/Mar/2008:18:23:38 CONFIG INFO server.socket_port: 8080
26/Mar/2008:18:23:38 CONFIG INFO server.socket_file:
26/Mar/2008:18:23:38 CONFIG INFO server.reverse_dns: False
26/Mar/2008:18:23:38 CONFIG INFO server.socket_queue_size: 5
26/Mar/2008:18:23:38 CONFIG INFO server.thread_pool: 10
26/Mar/2008:18:23:38 HTTP INFO Serving HTTP on http://0.0.0.0:8080/
26/Mar/2008:18:23:41 HTTP INFO Traceback (most recent call last):
File "/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/_cphttptools.py", line 98, in _run
self.processRequestLine()
File "/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/_cphttptools.py", line 148, in processRequestLine
method, path, qs, proto = httptools.parseRequestLine(rl)
File "/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/lib/httptools.py", line 320, in parseRequestLine
method, path, protocol = requestLine.split()
ValueError: too many values to unpack
Request Headers:
Content-Length:
USER-AGENT: Wget/1.10.2
CONNECTION: Keep-Alive
HOST: localhost:8080
ACCEPT: */*
Remote-Addr: ::ffff:127.0.0.1
Content-Type:
26/Mar/2008:18:23:41 INFO Traceback (most recent call last):
File "/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/_cpwsgi.py", line 125, in wsgiApp
environ['wsgi.input'])
File "/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/_cphttptools.py", line 84, in run
if self.method == "HEAD":
AttributeError: 'Request' object has no attribute 'method'
26/Mar/2008:18:23:41 INFO Traceback (most recent call last):
File "/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/filters/__init__.py", line 145, in applyFilters
method()
File "/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/filters/sessionfilter.py", line 210, in on_end_request
sess = cherrypy.request._session
File "/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/__init__.py", line 47, in __getattr__
return getattr(childobject, name)
AttributeError: 'Request' object has no attribute '_session'
26/Mar/2008:18:23:41 INFO Traceback (most recent call last):
File "/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/filters/__init__.py", line 145, in applyFilters
method()
File "/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/filters/cachefilter.py", line 165, in on_end_request
if not cherrypy.request.cacheable:
File "/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/__init__.py", line 47, in __getattr__
return getattr(childobject, name)
AttributeError: 'Request' object has no attribute 'cacheable'
26/Mar/2008:18:23:43 ENGINE INFO <Ctrl-C> hit: shutting down autoreloader
26/Mar/2008:18:23:43 HTTP INFO HTTP Server shut down
26/Mar/2008:18:23:43 ENGINE INFO CherryPy shut down
Change History
04/26/08 19:08:53: Modified by fumanchu
- status changed from new to closed.
- resolution set to invalid.
04/27/08 14:43:25: Modified by guest
- status changed from closed to reopened.
- resolution deleted.
I wouldn't be so sure. I tried both Firefox and wget with same result. Moreover, not all versions of CP display this behaviour (sorry, can't be more specific right now).
04/29/08 03:38:26: Modified by timochka@gmail.com
Bellow is the output I get from a TurboGears? application (CherryPy 2.2.1). No server error:
-su-2.05b$ wget -O - "http://localhost:8080/%0Ax"
--12:34:57-- http://localhost:8080/%0Ax
=> `-'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 404 Not Found
12:34:57 ERROR 404: Not Found.
-su-2.05b$ wget -O - "http://localhost:8080/%0Dx"
--12:35:00-- http://localhost:8080/%0Dx
=> `-'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 404 Not Found
12:35:00 ERROR 404: Not Found.
07/09/08 13:37:49: Modified by nick125
With a fresh copy of 2.3.0 from CherryPy.org, I was able to reproduce this issue, both with wget 1.11.2 and Firefox 3.0.
09/Jul/2008:12:30:17 HTTP INFO Traceback (most recent call last):
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/_cphttptools.py", line 98, in _run
self.processRequestLine()
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/_cphttptools.py", line 148, in processRequestLine
method, path, qs, proto = httptools.parseRequestLine(rl)
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/lib/httptools.py", line 320, in parseRequestLine
method, path, protocol = requestLine.split()
ValueError: too many values to unpack
Request Headers:
Content-Length:
USER-AGENT: Wget/1.11.2
CONNECTION: Keep-Alive
HOST: localhost:8080
ACCEPT: */*
Remote-Addr: ::ffff:127.0.0.1
Content-Type:
09/Jul/2008:12:30:17 INFO Traceback (most recent call last):
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/_cpwsgi.py", line 125, in wsgiApp
environ['wsgi.input'])
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/_cphttptools.py", line 84, in run
if self.method == "HEAD":
AttributeError: 'Request' object has no attribute 'method'
09/Jul/2008:12:30:17 INFO Traceback (most recent call last):
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/filters/__init__.py", line 145, in applyFilters
method()
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/filters/sessionfilter.py", line 210, in on_end_request
sess = cherrypy.request._session
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/__init__.py", line 47, in __getattr__
return getattr(childobject, name)
AttributeError: 'Request' object has no attribute '_session'
09/Jul/2008:12:30:17 INFO Traceback (most recent call last):
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/filters/__init__.py", line 145, in applyFilters
method()
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/filters/cachefilter.py", line 165, in on_end_request
if not cherrypy.request.cacheable:
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/__init__.py", line 47, in __getattr__
return getattr(childobject, name)
AttributeError: 'Request' object has no attribute 'cacheable'
07/09/08 15:22:57: Modified by nick125
- status changed from reopened to closed.
- resolution set to fixed.
Fixed in r2019.
This is almost certainly due to the client passing illegal characters in the Request-Line. The Request-URI must "% hex hex" escape many characters, including %0D and %0A. It's likely that your client is silently and incorrectly converting those characters to their unescaped equivalents before passing them over the wire.