Context Navigation

Modify ↓

#12403 closed defect (fixed)

TypeError: execv() arg 2 must contain only strings

Reported by:	Ryan J Ollos	Owned by:	Jun Omae
Priority:	normal	Milestone:	1.0.11
Component:	web frontend	Version:
Severity:	normal	Keywords:
Cc:		Branch:
Release Notes:	Null bytes in request argument for `name`, `value` or `filename` raises an `HTTPBadRequest` exception.
API Changes:
Internal Changes:

Description

From the logs:

[pid 7564 139730844530432] 2016-03-14 16:05:09,876 Trac[main] ERROR: Internal Server Error: <RequestWithSession "GET '/changeset?new=302bd3796163449f419a328fb5ce566b6cc55948@/&old=14519%2540/<%00ScRiPt%20%0d%0a>prompt(937841)</ScRiPt>&reponame=psuter.git&sfph_mail=&sfp_email=sample@email.tst'">, referrer 'http://trac.edgewall.org/'
Traceback (most recent call last):
  File "/usr/local/virtualenv/1.1dev/lib/python2.7/site-packages/trac/web/main.py", line 607, in _dispatch_request
    dispatcher.dispatch(req)
  File "/usr/local/virtualenv/1.1dev/lib/python2.7/site-packages/trac/web/main.py", line 256, in dispatch
    resp = chosen_handler.process_request(req)
  File "/usr/local/virtualenv/1.1dev/lib/python2.7/site-packages/trac/versioncontrol/web_ui/changeset.py", line 256, in process_request
    old = repos.normalize_rev(old or new)
  File "/usr/local/virtualenv/1.1dev/lib/python2.7/site-packages/tracopt/versioncontrol/git/git_fs.py", line 534, in normalize_rev
    normrev = self.git.verifyrev(rev)
  File "/usr/local/virtualenv/1.1dev/lib/python2.7/site-packages/tracopt/versioncontrol/git/PyGIT.py", line 717, in verifyrev
    rc = self.repo.rev_parse('--verify', rev).strip()
  File "/usr/local/virtualenv/1.1dev/lib/python2.7/site-packages/tracopt/versioncontrol/git/PyGIT.py", line 139, in __execute
    p = self.__pipe(git_cmd, stdout=PIPE, stderr=PIPE, *cmd_args)
  File "/usr/local/virtualenv/1.1dev/lib/python2.7/site-packages/tracopt/versioncontrol/git/PyGIT.py", line 132, in __pipe
    close_fds=close_fds, **kw)
  File "/usr/lib/python2.7/subprocess.py", line 710, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1335, in _execute_child
    raise child_exception
TypeError: execv() arg 2 must contain only strings

This looks to be similar to #11291.

Attachments (0)

Change History (7)

comment:1 by Jun Omae, 10 years ago

Null byte attack. This issue is caused by passing null byte to Popen().

>>> from subprocess import Popen
>>> Popen(('/bin/echo', '123')).wait()
123
0
>>> Popen(('/bin/echo', '12\x003')).wait()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/subprocess.py", line 710, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1327, in _execute_child
    raise child_exception
TypeError: execv() arg 2 must contain only strings

It seems os.exec* family disallows null bytes.

$ LANG=C python -c "import os; os.execv('/bin/echo', ('/bin/echo', '123'))"
123
$ LANG=C python -c "import os; os.execv('/bin/echo', ('/bin/echo', '1\x0023'))"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
TypeError: execv() arg 2 must contain only strings
$
$ LANG=en_US.UTF-8 python -c "import os; os.execv('/bin/echo', ('/bin/echo', '123'))"
123
$ LANG=en_US.UTF-8 python -c "import os; os.execv('/bin/echo', ('/bin/echo', '1\x0023'))"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
TypeError: execv() arg 2 must contain only strings

Last edited 10 years ago by Jun Omae (previous) (diff)

comment:2 by Jun Omae, 10 years ago

I think we could reject such a request with null bytes.

trac/web/api.py

diff --git a/trac/web/api.py b/trac/web/api.py
index 0ea3e05af..b2599330c 100644

                class Request(object):
         args = []
         for value in fs.list or ():
             try:
+                name = unicode(value.name, 'utf-8')
+                if not value.filename:
+                    value = unicode(value.value, 'utf-8')
+                name = value.name
+                if '\x00' in name:
+                    raise HTTPBadRequest(_("Invalid request arguments."))
+                name = unicode(name, 'utf-8')
+                if value.filename:
+                    if '\x00' in value.filename:
+                        raise HTTPBadRequest(_("Invalid request arguments."))
+                else:
+                    value = value.value
+                    if '\x00' in value:
+                        raise HTTPBadRequest(_("Invalid request arguments."))
+                    value = unicode(value, 'utf-8')
             except UnicodeDecodeError, e:
                 raise HTTPBadRequest(
                     _("Invalid encoding in form data: %(msg)s",

Last edited 10 years ago by Jun Omae (previous) (diff)

comment:3 by Ryan J Ollos, 10 years ago

#12404 closed as a duplicate.

comment:4 by Ryan J Ollos, 10 years ago

Milestone:	next-stable-1.0.x → 1.0.11

comment:5 by Ryan J Ollos, 10 years ago

Release Notes:	modified (diff)

Thanks for the patch. I added tests in log:rjollos.git:t12403.

comment:6 by Ryan J Ollos, 10 years ago

Resolution:	→ fixed
Status:	new → closed

Committed to 1.0-stable in [14609], merged to trunk in [14610].

comment:7 by Ryan J Ollos, 10 years ago

Component:	plugin/git → web frontend
Owner:	set to Jun Omae

Modify Ticket

Change Properties

Summary:
Description:	From the logs: {{{ [pid 7564 139730844530432] 2016-03-14 16:05:09,876 Trac[main] ERROR: Internal Server Error: <RequestWithSession "GET '/changeset?new=302bd3796163449f419a328fb5ce566b6cc55948@/&old=14519%2540/<%00ScRiPt%20%0d%0a>prompt(937841)</ScRiPt>&reponame=psuter.git&sfph_mail=&sfp_email=sample@email.tst'">, referrer 'http://trac.edgewall.org/' Traceback (most recent call last): File "/usr/local/virtualenv/1.1dev/lib/python2.7/site-packages/trac/web/main.py", line 607, in _dispatch_request dispatcher.dispatch(req) File "/usr/local/virtualenv/1.1dev/lib/python2.7/site-packages/trac/web/main.py", line 256, in dispatch resp = chosen_handler.process_request(req) File "/usr/local/virtualenv/1.1dev/lib/python2.7/site-packages/trac/versioncontrol/web_ui/changeset.py", line 256, in process_request old = repos.normalize_rev(old or new) File "/usr/local/virtualenv/1.1dev/lib/python2.7/site-packages/tracopt/versioncontrol/git/git_fs.py", line 534, in normalize_rev normrev = self.git.verifyrev(rev) File "/usr/local/virtualenv/1.1dev/lib/python2.7/site-packages/tracopt/versioncontrol/git/PyGIT.py", line 717, in verifyrev rc = self.repo.rev_parse('--verify', rev).strip() File "/usr/local/virtualenv/1.1dev/lib/python2.7/site-packages/tracopt/versioncontrol/git/PyGIT.py", line 139, in __execute p = self.__pipe(git_cmd, stdout=PIPE, stderr=PIPE, cmd_args) File "/usr/local/virtualenv/1.1dev/lib/python2.7/site-packages/tracopt/versioncontrol/git/PyGIT.py", line 132, in __pipe close_fds=close_fds, *kw) File "/usr/lib/python2.7/subprocess.py", line 710, in __init__ errread, errwrite) File "/usr/lib/python2.7/subprocess.py", line 1335, in _execute_child raise child_exception TypeError: execv() arg 2 must contain only strings }}} This looks to be similar to #11291. You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:	Null bytes in request argument for `name`, `value` or `filename` raises an `HTTPBadRequest` exception.
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Jun Omae.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Jun Omae to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: