python paste dumping raw input

Bug #1718509 reported by Ramon Grullon on 2017-09-20
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Undecided
Unassigned
paste
New
Undecided
Unassigned
python-eventlet (Ubuntu)
Undecided
Unassigned

Bug Description

juju-7de47d-1-lxd-2:~ telnet localhost 9696
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET <script>cross_site_scripting.nasl</script>

HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 596
Date: Tue, 19 Sep 2017 20:17:09 GMT
Connection: close

Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 481, in handle_one_response
result = self.application(self.environ, start_response)
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 198, in __call__
path_info = self.normalize_url(path_info, False)[1]
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 122, in normalize_url
"URL fragments must start with / or http:// (you gave %r)" % url)
AssertionError: URL fragments must start with / or http:// (you gave '<script>cross_site_scripting.nasl</script>')
Connection closed by foreign host.
➜ juju-7de47d-1-lxd-2:~

 juju-7de47d-1-lxd-2:~ telnet localhost 9696
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET <script>document.cookie%22testgppq=1191;%22</script>

HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 602
Date: Tue, 19 Sep 2017 20:33:26 GMT
Connection: close

Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 481, in handle_one_response
result = self.application(self.environ, start_response)
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 198, in __call__
path_info = self.normalize_url(path_info, False)[1]
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 122, in normalize_url
"URL fragments must start with / or http:// (you gave %r)" % url)
AssertionError: URL fragments must start with / or http:// (you gave '<script>document.cookie"testgppq=1191;"</script>')
Connection closed by foreign host.
➜ juju-7de47d-1-lxd-2:~

Marc Deslauriers (mdeslaur) wrote :

Here is a completely untested fix.

Seth Arnold (seth-arnold) wrote :

Hello, it appears we've lost track of this issue.

I don't see this fix in our paste packages.

Has this issue been reported to upstream yet?

Is there a reason for this to remain private?

Thanks

Ramon Grullon (rgrullon) on 2019-05-08
information type: Private → Public
tags: added: patch
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers