5032 – Backtrace when getting malformed XML-RPC data

Bug 5032 - Backtrace when getting malformed XML-RPC data

Summary: Backtrace when getting malformed XML-RPC data

Status:	CLOSED FIXED

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	trunk
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	4.16.0
Assignee:	Pierre Ossman

URL:
Keywords:	frifl_tester, prosaic

Depends on:
Blocks:	7659
	Show dependency tree / graph

Reported:	2014-03-20 16:02 CET by Henrik Andersson
Modified:	2023-10-03 10:51 CEST (History)
CC List:	1 user (show)

See Also:	2555 5556
Acceptance Criteria:	MUST: * No backtrace should be logged when receiving malformed requests SHOULD: * Nothing should be logged at all by default when receiving malformed requests * An XML-RPC client should log when a request is rejected because of malformed data

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Henrik Andersson cendio

2014-03-20 16:02:57 CET

iconv get_public_sessioninfo.post -t latin1  | nc localhost 9000
2014-03-20 16:00:37 DEBUG vsmserver: Handling connection from ('127.0.0.1', 62113)
2014-03-20 16:00:37 ERROR vsmserver: Unhandled XMLRPC exception: <class 'thinlinc.vsm.xmlrpc.XMLDeMarshallingError'> ['not well-formed (invalid token): line 5, column 33', '<?xml version="1.0"?>\r\n<methodCall>\r\n   <methodName>get_public_sessioninfo</methodName>\r\n      <params>\r\n         <param><value><string>he\xe5n01</string></value></param>\r\n         <param><value><string>dhcp-252-250</string></value></param>\r\n         <param><value><int>1</int></value></param>\r\n      </params>\r\n</methodCall>\r\n'] Traceback (most recent call last):
  File "/opt/thinlinc/modules/thinlinc/vsm/async.py", line 112, in iii11
    obj . handle_read_event ( )
  File "/usr/lib64/python2.6/asyncore.py", line 428, in handle_read_event
    self.handle_read()
  File "/usr/lib64/python2.6/asynchat.py", line 140, in handle_read
    self.found_terminator()
  File "/opt/thinlinc/modules/thinlinc/vsm/xmlrpc.py", line 530, in found_terminator
    self . handle_request ( )
  File "/opt/thinlinc/modules/thinlinc/vsm/xmlrpc.py", line 542, in handle_request
    raise XMLDeMarshallingError , [ str ( ooO ) , self . payload ]
XMLDeMarshallingError: ['not well-formed (invalid token): line 5, column 33', '<?xml version="1.0"?>\r\n<methodCall>\r\n   <methodName>get_public_sessioninfo</methodName>\r\n      <params>\r\n         <param><value><string>he\xe5n01</string></value></param>\r\n         <param><value><string>dhcp-252-250</string></value></param>\r\n         <param><value><int>1</int></value></param>\r\n      </params>\r\n</methodCall>\r\n']

Comment 1 Henrik Andersson cendio

2014-03-21 08:09:43 CET

POST /RPC2 HTTP/1.1
User-Agent: Curl v125125
Host: localhost
Content-Type: text/xml
Content-Length: 324

<?xml version="1.0"?>
<methodCall>
   <methodName>get_public_sessioninfo</methodName>
      <params>
         <param><value><string>heån01</string></value></param>
         <param><value><string>dhcp-252-250</string></value></param>
         <param><value><int>1</int></value></param>
      </params>
</methodCall>

Comment 2 Pierre Ossman cendio

2021-03-09 16:58:50 CET

That is a malformed request as XML should be UTF-8 unless otherwise specified.

This happens no matter how the data is malformed, e.g. this can trigger it:

> (printf "POST /RPC2 HTTP/1.1\r\nContent-Length: 10\r\n\r\n" ; dd if=/dev/urandom) | nc localhost 904

It also happens to both vsmserver and vsmagent as they use the same parser.

Comment 4 Pierre Ossman cendio

2023-09-22 14:00:03 CEST

This got looked at as part of bug 8224.

Comment 5 Pierre Ossman cendio

2023-09-22 14:11:36 CEST

Fixed now.

> MUST:
> 
>  * No backtrace should be logged when receiving malformed requests

Indeed. Before the fix I get a XMLDeMarshallingError backtrace, but not after the fix.

> SHOULD:
> 
>  * Nothing should be logged at all by default when receiving malformed requests

There is indeed silence in the server side logs now.

>  * An XML-RPC client should log when a request is rejected because of malformed data

Indeed. I now get:

> 2023-09-22 14:10:51 WARNING vsmserver.loadinfo: Error talking to VSM agent 127.0.0.1:904 in request for loadinfo. Marking as down.: Request rejected by server: '400' 'Invalid XML-RPC data\r\n'

Comment 6 Adam Halim cendio

2023-10-03 10:51:36 CEST

This is fixed now, tested using latest build.

> MUST:
> 
>  * No backtrace should be logged when receiving malformed requests ✓
> 
> SHOULD:
> 
>  * Nothing should be logged at all by default when receiving malformed requests ✓
> 
>  * An XML-RPC client should log when a request is rejected because of malformed data ✓

Note You need to log in before you can comment on or make changes to this bug.