[CherryPy] #802: parseRequestLine: Some URIs cause unrecoverable error
6 views
Skip to first unread message
CherryPy
Mar 26, 2008, 11:35:49 AM3/26/08
to cherrypy...@googlegroups.com
#802: parseRequestLine: Some URIs cause unrecoverable error
--------------------------------+-------------------------------------------
Reporter: timo...@gmail.com | Owner: rdelon
Type: defect | Status: new
Priority: high | Milestone:
Component: CherryPy code | Keywords:
--------------------------------+-------------------------------------------
After starting a HelloWorld application on port 8080 requests to URLs like
http://localhost:8080/%0Dx or http://localhost:8080/%0Ax cause
unrecoverable server error because reqest line splits to more than three
parts.
The application:
{{{
import cherrypy
class HelloWorld(object):
def index(self):
return "Hello World!"
index.exposed = True
cherrypy.root = HelloWorld()
cherrypy.server.start()
}}}
The output:
{{{
26/Mar/2008:18:23:43 ENGINE INFO <Ctrl-C> hit: shutting down autoreloader
26/Mar/2008:18:23:43 HTTP INFO HTTP Server shut down
26/Mar/2008:18:23:43 ENGINE INFO CherryPy shut down
26/Mar/2008:18:23:38 CONFIG INFO Server parameters:
26/Mar/2008:18:23:38 CONFIG INFO server.environment: development
26/Mar/2008:18:23:38 CONFIG INFO server.log_to_screen: True
26/Mar/2008:18:23:38 CONFIG INFO server.log_file:
26/Mar/2008:18:23:38 CONFIG INFO server.log_tracebacks: True
26/Mar/2008:18:23:38 CONFIG INFO server.log_request_headers: True
26/Mar/2008:18:23:38 CONFIG INFO server.protocol_version: HTTP/1.0
26/Mar/2008:18:23:38 CONFIG INFO server.socket_host:
26/Mar/2008:18:23:38 CONFIG INFO server.socket_port: 8080
26/Mar/2008:18:23:38 CONFIG INFO server.socket_file:
26/Mar/2008:18:23:38 CONFIG INFO server.reverse_dns: False
26/Mar/2008:18:23:38 CONFIG INFO server.socket_queue_size: 5
26/Mar/2008:18:23:38 CONFIG INFO server.thread_pool: 10
26/Mar/2008:18:23:38 HTTP INFO Serving HTTP on http://0.0.0.0:8080/
26/Mar/2008:18:23:41 HTTP INFO Traceback (most recent call last):
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/_cphttptools.py",
line 98, in _run
self.processRequestLine()
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/_cphttptools.py",
line 148, in processRequestLine
method, path, qs, proto = httptools.parseRequestLine(rl)
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/lib/httptools.py",
line 320, in parseRequestLine
method, path, protocol = requestLine.split()
ValueError: too many values to unpack
Request Headers:
Content-Length:
USER-AGENT: Wget/1.10.2
CONNECTION: Keep-Alive
HOST: localhost:8080
ACCEPT: */*
Remote-Addr: ::ffff:127.0.0.1
Content-Type:
26/Mar/2008:18:23:41 INFO Traceback (most recent call last):
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/_cpwsgi.py",
line 125, in wsgiApp
environ['wsgi.input'])
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/_cphttptools.py",
line 84, in run
if self.method == "HEAD":
AttributeError: 'Request' object has no attribute 'method'
26/Mar/2008:18:23:41 INFO Traceback (most recent call last):
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/filters/__init__.py",
line 145, in applyFilters
method()
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/filters/sessionfilter.py",
line 210, in on_end_request
sess = cherrypy.request._session
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/__init__.py",
line 47, in __getattr__
return getattr(childobject, name)
AttributeError: 'Request' object has no attribute '_session'
26/Mar/2008:18:23:41 INFO Traceback (most recent call last):
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/filters/__init__.py",
line 145, in applyFilters
method()
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/filters/cachefilter.py",
line 165, in on_end_request
if not cherrypy.request.cacheable:
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/__init__.py",
line 47, in __getattr__
return getattr(childobject, name)
AttributeError: 'Request' object has no attribute 'cacheable'
26/Mar/2008:18:23:43 ENGINE INFO <Ctrl-C> hit: shutting down autoreloader
26/Mar/2008:18:23:43 HTTP INFO HTTP Server shut down
26/Mar/2008:18:23:43 ENGINE INFO CherryPy shut down
}}}
--
Ticket URL: <http://www.cherrypy.org/ticket/802>
CherryPy <http://www.cherrypy.org>
CherryPy - a pythonic, object-oriented HTTP framework
--------------------------------+-------------------------------------------
Reporter: timo...@gmail.com | Owner: rdelon
Type: defect | Status: new
Priority: high | Milestone:
Component: CherryPy code | Keywords:
--------------------------------+-------------------------------------------
After starting a HelloWorld application on port 8080 requests to URLs like
http://localhost:8080/%0Dx or http://localhost:8080/%0Ax cause
unrecoverable server error because reqest line splits to more than three
parts.
The application:
{{{
import cherrypy
class HelloWorld(object):
def index(self):
return "Hello World!"
index.exposed = True
cherrypy.root = HelloWorld()
cherrypy.server.start()
}}}
The output:
{{{
26/Mar/2008:18:23:43 ENGINE INFO <Ctrl-C> hit: shutting down autoreloader
26/Mar/2008:18:23:43 HTTP INFO HTTP Server shut down
26/Mar/2008:18:23:43 ENGINE INFO CherryPy shut down
26/Mar/2008:18:23:38 CONFIG INFO Server parameters:
26/Mar/2008:18:23:38 CONFIG INFO server.environment: development
26/Mar/2008:18:23:38 CONFIG INFO server.log_to_screen: True
26/Mar/2008:18:23:38 CONFIG INFO server.log_file:
26/Mar/2008:18:23:38 CONFIG INFO server.log_tracebacks: True
26/Mar/2008:18:23:38 CONFIG INFO server.log_request_headers: True
26/Mar/2008:18:23:38 CONFIG INFO server.protocol_version: HTTP/1.0
26/Mar/2008:18:23:38 CONFIG INFO server.socket_host:
26/Mar/2008:18:23:38 CONFIG INFO server.socket_port: 8080
26/Mar/2008:18:23:38 CONFIG INFO server.socket_file:
26/Mar/2008:18:23:38 CONFIG INFO server.reverse_dns: False
26/Mar/2008:18:23:38 CONFIG INFO server.socket_queue_size: 5
26/Mar/2008:18:23:38 CONFIG INFO server.thread_pool: 10
26/Mar/2008:18:23:38 HTTP INFO Serving HTTP on http://0.0.0.0:8080/
26/Mar/2008:18:23:41 HTTP INFO Traceback (most recent call last):
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/_cphttptools.py",
line 98, in _run
self.processRequestLine()
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/_cphttptools.py",
line 148, in processRequestLine
method, path, qs, proto = httptools.parseRequestLine(rl)
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/lib/httptools.py",
line 320, in parseRequestLine
method, path, protocol = requestLine.split()
ValueError: too many values to unpack
Request Headers:
Content-Length:
USER-AGENT: Wget/1.10.2
CONNECTION: Keep-Alive
HOST: localhost:8080
ACCEPT: */*
Remote-Addr: ::ffff:127.0.0.1
Content-Type:
26/Mar/2008:18:23:41 INFO Traceback (most recent call last):
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/_cpwsgi.py",
line 125, in wsgiApp
environ['wsgi.input'])
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/_cphttptools.py",
line 84, in run
if self.method == "HEAD":
AttributeError: 'Request' object has no attribute 'method'
26/Mar/2008:18:23:41 INFO Traceback (most recent call last):
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/filters/__init__.py",
line 145, in applyFilters
method()
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/filters/sessionfilter.py",
line 210, in on_end_request
sess = cherrypy.request._session
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/__init__.py",
line 47, in __getattr__
return getattr(childobject, name)
AttributeError: 'Request' object has no attribute '_session'
26/Mar/2008:18:23:41 INFO Traceback (most recent call last):
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/filters/__init__.py",
line 145, in applyFilters
method()
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/filters/cachefilter.py",
line 165, in on_end_request
if not cherrypy.request.cacheable:
File
"/home/timur/lib/python/CherryPy-2.3.0-py2.4.egg/cherrypy/__init__.py",
line 47, in __getattr__
return getattr(childobject, name)
AttributeError: 'Request' object has no attribute 'cacheable'
26/Mar/2008:18:23:43 ENGINE INFO <Ctrl-C> hit: shutting down autoreloader
26/Mar/2008:18:23:43 HTTP INFO HTTP Server shut down
26/Mar/2008:18:23:43 ENGINE INFO CherryPy shut down
}}}
--
Ticket URL: <http://www.cherrypy.org/ticket/802>
CherryPy <http://www.cherrypy.org>
CherryPy - a pythonic, object-oriented HTTP framework
CherryPy
Apr 26, 2008, 8:08:53 PM4/26/08
to cherrypy...@googlegroups.com
#802: parseRequestLine: Some URIs cause unrecoverable error
--------------------------------+-------------------------------------------
Reporter: timo...@gmail.com | Owner: rdelon
Type: defect | Status: closed
--------------------------------+-------------------------------------------
Reporter: timo...@gmail.com | Owner: rdelon
Priority: high | Milestone:
Component: CherryPy code | Resolution: invalid
Keywords: |
--------------------------------+-------------------------------------------
Changes (by fumanchu):
* resolution: => invalid
* status: new => closed
Comment:
This is almost certainly due to the client passing illegal characters in
the Request-Line. The Request-URI must "% hex hex" escape many characters,
including %0D and %0A. It's likely that your client is silently and
incorrectly converting those characters to their unescaped equivalents
before passing them over the wire.
CherryPy
Apr 27, 2008, 3:43:37 PM4/27/08
to cherrypy...@googlegroups.com
#802: parseRequestLine: Some URIs cause unrecoverable error
--------------------------------+-------------------------------------------
Reporter: timo...@gmail.com | Owner: rdelon
Type: defect | Status: reopened
--------------------------------+-------------------------------------------
Reporter: timo...@gmail.com | Owner: rdelon
Priority: high | Milestone:
Component: CherryPy code | Resolution:
Keywords: |
--------------------------------+-------------------------------------------
Changes (by guest):
* resolution: invalid =>
* status: closed => reopened
Comment:
I wouldn't be so sure. I tried both Firefox and wget with same result.
Moreover, not all versions of CP display this behaviour (sorry, can't be
more specific right now).
CherryPy
Apr 29, 2008, 4:38:27 AM4/29/08
to cherrypy...@googlegroups.com
#802: parseRequestLine: Some URIs cause unrecoverable error
--------------------------------+-------------------------------------------
Reporter: timo...@gmail.com | Owner: rdelon
Type: defect | Status: reopened
--------------------------------+-------------------------------------------
Reporter: timo...@gmail.com | Owner: rdelon
Priority: high | Milestone:
Component: CherryPy code | Resolution:
Keywords: |
--------------------------------+-------------------------------------------
Comment (by timo...@gmail.com):
Bellow is the output I get from a TurboGears application (CherryPy 2.2.1).
No server error:
{{{
-su-2.05b$ wget -O - "http://localhost:8080/%0Ax"
--12:34:57-- http://localhost:8080/%0Ax
=> `-'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 404 Not Found
12:34:57 ERROR 404: Not Found.
-su-2.05b$ wget -O - "http://localhost:8080/%0Dx"
--12:35:00-- http://localhost:8080/%0Dx
=> `-'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 404 Not Found
12:35:00 ERROR 404: Not Found.
CherryPy
Jul 9, 2008, 2:38:07 PM7/9/08
to cherrypy...@googlegroups.com
#802: parseRequestLine: Some URIs cause unrecoverable error
--------------------------------+-------------------------------------------
Reporter: timo...@gmail.com | Owner: rdelon
Type: defect | Status: reopened
--------------------------------+-------------------------------------------
Reporter: timo...@gmail.com | Owner: rdelon
Priority: high | Milestone:
Component: CherryPy code | Resolution:
Keywords: |
--------------------------------+-------------------------------------------
Comment (by nick125):
Keywords: |
--------------------------------+-------------------------------------------
With a fresh copy of 2.3.0 from CherryPy.org, I was able to reproduce this
issue, both with wget 1.11.2 and Firefox 3.0.
{{{
09/Jul/2008:12:30:17 HTTP INFO Traceback (most recent call last):
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/_cphttptools.py",
line 98, in _run
self.processRequestLine()
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/_cphttptools.py",
self.processRequestLine()
line 148, in processRequestLine
method, path, qs, proto = httptools.parseRequestLine(rl)
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/lib/httptools.py",
method, path, qs, proto = httptools.parseRequestLine(rl)
line 320, in parseRequestLine
method, path, protocol = requestLine.split()
ValueError: too many values to unpack
Request Headers:
Content-Length:
USER-AGENT: Wget/1.11.2
method, path, protocol = requestLine.split()
ValueError: too many values to unpack
Request Headers:
Content-Length:
CONNECTION: Keep-Alive
HOST: localhost:8080
ACCEPT: */*
Remote-Addr: ::ffff:127.0.0.1
Content-Type:
09/Jul/2008:12:30:17 INFO Traceback (most recent call last):
HOST: localhost:8080
ACCEPT: */*
Remote-Addr: ::ffff:127.0.0.1
Content-Type:
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/_cpwsgi.py", line
125, in wsgiApp
environ['wsgi.input'])
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/_cphttptools.py",
environ['wsgi.input'])
line 84, in run
if self.method == "HEAD":
AttributeError: 'Request' object has no attribute 'method'
09/Jul/2008:12:30:17 INFO Traceback (most recent call last):
if self.method == "HEAD":
AttributeError: 'Request' object has no attribute 'method'
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/filters/__init__.py",
line 145, in applyFilters
method()
File
"/home/nick/code/temp/CherryPy-2.3.0/cherrypy/filters/sessionfilter.py",
method()
File
line 210, in on_end_request
sess = cherrypy.request._session
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/__init__.py", line
sess = cherrypy.request._session
47, in __getattr__
return getattr(childobject, name)
AttributeError: 'Request' object has no attribute '_session'
09/Jul/2008:12:30:17 INFO Traceback (most recent call last):
return getattr(childobject, name)
AttributeError: 'Request' object has no attribute '_session'
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/filters/__init__.py",
line 145, in applyFilters
method()
File
"/home/nick/code/temp/CherryPy-2.3.0/cherrypy/filters/cachefilter.py",
method()
File
line 165, in on_end_request
if not cherrypy.request.cacheable:
File "/home/nick/code/temp/CherryPy-2.3.0/cherrypy/__init__.py", line
if not cherrypy.request.cacheable:
47, in __getattr__
return getattr(childobject, name)
AttributeError: 'Request' object has no attribute 'cacheable'
}}}
--
return getattr(childobject, name)
AttributeError: 'Request' object has no attribute 'cacheable'
}}}
Ticket URL: <http://cherrypy.org/ticket/802>
CherryPy
Jul 9, 2008, 4:23:08 PM7/9/08
to cherrypy...@googlegroups.com
#802: parseRequestLine: Some URIs cause unrecoverable error
--------------------------------+-------------------------------------------
Reporter: timo...@gmail.com | Owner: rdelon
Type: defect | Status: closed
--------------------------------+-------------------------------------------
Reporter: timo...@gmail.com | Owner: rdelon
Priority: high | Milestone:
Component: CherryPy code | Resolution: fixed
Keywords: |
--------------------------------+-------------------------------------------
Changes (by nick125):
* resolution: => fixed
* status: reopened => closed
Comment:
Fixed in r2019.
Reply all
Reply to author
Forward
0 new messages