http 500 on certain unicode characters in Content-Type

Bug #1421478 reported by Steve Heyman
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Barbican
Fix Released
Low
Everardo Padilla Saca

Bug Description

Returns a 500 error for any Content-Type with a character from \u0080 to \uffff.

Request:

POST /v1/secrets HTTP/1.1
Host: localhost:9311
Content-Length: 248
Accept-Encoding: gzip, deflate
X-Project-Id: 3793662244d04d2c96edb3a52808cd2b
Accept: */*
User-Agent: python-requests/2.5.1 CPython/2.7.5 Darwin/13.4.0
Connection: keep-alive
X-Auth-Token: [VALID TOKEN]
Content-Type: Ä (\u0080)

{"name": "AES key", "algorithm": "aes", "payload_content_type": "application/octet-stream", "payload_content_encoding": "base64", "mode": "cbc", "bit_length": 256, "payload": "gF6+lLoF3ohA9aPRpt+6bQ==", "expiration": "2018-02-28T19:14:44.180394"}

HTTP/1.1 500 Internal Server Error
Content-Length: 131
Content-Type: application/json; charset=UTF-8
Connection: close

{"code": 500, "description": "Secret creation failure seen - please contact site administrator.", "title": "Internal Server Error"}

Stacktrace:

2015-02-10 11:57:25.165 18864 ERROR barbican.api.controllers [-] Secret creation failure seen - please contact site administrator.
2015-02-10 11:57:25.165 18864 TRACE barbican.api.controllers Traceback (most recent call last):
2015-02-10 11:57:25.165 18864 TRACE barbican.api.controllers File "/Users/char7232/tests/barbican/barbican/barbican/api/controllers/__init__.py", line 95, in handler
2015-02-10 11:57:25.165 18864 TRACE barbican.api.controllers return fn(inst, *args, **kwargs)
2015-02-10 11:57:25.165 18864 TRACE barbican.api.controllers File "/Users/char7232/tests/barbican/barbican/barbican/api/controllers/__init__.py", line 81, in enforcer
2015-02-10 11:57:25.165 18864 TRACE barbican.api.controllers return fn(inst, *args, **kwargs)
2015-02-10 11:57:25.165 18864 TRACE barbican.api.controllers File "/Users/char7232/tests/barbican/barbican/barbican/api/controllers/__init__.py", line 136, in content_types_enforcer
2015-02-10 11:57:25.165 18864 TRACE barbican.api.controllers _do_enforce_content_types(pecan.request, valid_content_types)
2015-02-10 11:57:25.165 18864 TRACE barbican.api.controllers File "/Users/char7232/tests/barbican/barbican/barbican/api/controllers/__init__.py", line 125, in _do_enforce_content_types
2015-02-10 11:57:25.165 18864 TRACE barbican.api.controllers expected=valid_content_types
2015-02-10 11:57:25.165 18864 TRACE barbican.api.controllers UnicodeDecodeError: 'ascii' codec can't decode byte 0xc4 in position 1: ordinal not in range(128)
2015-02-10 11:57:25.165 18864 TRACE barbican.api.controllers
2015-02-10 11:57:25.167 18864 WARNING barbican.api.middleware.context [-] Unable to retrieve request id from context
{address space usage: 2593398784 bytes/2473MB} {rss usage: 79302656 bytes/75MB} [pid: 18864|app: 0|req: 1995/1995] 127.0.0.1 () {36 vars in 2353 bytes} [Tue Feb 10 11:57:25 2015] POST /v1/secrets => generated 131 bytes in 3 msecs (HTTP/1.1 500) 3 headers in 125 bytes (2 switches on core 0)
=== Impact: ===
Low
=== Systems Vulnerable: ===
Local environment
=== Suggested Mitigation: ===
Enforce a reasonable character set on the Content-Type header.
=== Further References: ===
No references given

Changed in barbican:
assignee: nobody → Everardo Padilla Saca (everardo-padilla-saca)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.openstack.org/165056

Changed in barbican:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to barbican (master)

Reviewed: https://review.openstack.org/165056
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=2348c924231116781b2bf401697fb63fe62c1e5f
Submitter: Jenkins
Branch: master

commit 2348c924231116781b2bf401697fb63fe62c1e5f
Author: Everardo Padilla Saca <email address hidden>
Date: Mon Mar 23 19:32:43 2015 +0200

    Add utf-8 decoding for Content-Type

    When POSTing a secret with an unsupported HTTP content type,
    decode the Content-Type field before printing it along the
    "Unexpected content type" message, as it might contain funky
    characters. Do this to avoid a 500 error.

    Closes-bug: #1421478
    Change-Id: I52d2321f6f73f698ea44960329907d7ca08c6403

Changed in barbican:
status: In Progress → Fix Committed
Changed in barbican:
milestone: none → kilo-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to barbican (master)

Reviewed: https://review.openstack.org/167044
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=78f90d8b204fcb56cfe19759a665044381cdd89c
Submitter: Jenkins
Branch: master

commit 78f90d8b204fcb56cfe19759a665044381cdd89c
Author: Everardo Padilla Saca <email address hidden>
Date: Tue Mar 24 01:31:51 2015 +0200

    Remove str() casting for the client_message variable

    This is done since the e.client_message variable is a unicode
    string that might be derived from a non-ascii input (for
    example, the user-supplied paylaod content type). If the str()
    function is applied to a non-ascii char, a UnicodeEncodeError
    exception will be thrown.

    Change-Id: I3ce5454a37347297b3ec0b0124234025a4aed872
    Closes-bug: #1435613
    Related-Bug: #1421478

Thierry Carrez (ttx)
Changed in barbican:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in barbican:
milestone: kilo-rc1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.