500 error at /cards/Wort, the Raidmother/ (caused by i18n?)

[bakert]

This happened 71 times (possibly a browsers auto retry?) a few hours ago. Could be script kiddie stuff but looks like maybe a bug with i18n?

expected only letters, got "id' union all select null,null,null,null,null,null,null,null-- qwey"

Reported on decksite by logged_out

Request Method: GET
Path: /cards/Wort, the Raidmother/?locale=id%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20qweY
Cookies: {}
Endpoint: card
View Args: {'name': 'Wort, the Raidmother'}
Person: logged_out
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; de-DE) AppleWebKit/528 (KHTML, like Gecko) Version/3.2.2 Safari/525.28.1
Referrer: None
Request Data: {}

ValueError
Stack Trace:
File "/home/discord/.local/lib/python3.6/site-packages/flask/app.py", line 1997, in call
return self.wsgi_app(environ, start_response)
File "/home/discord/.local/lib/python3.6/site-packages/flask/app.py", line 1985, in wsgi_app
response = self.handle_exception(e)
File "/home/discord/.local/lib/python3.6/site-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/home/discord/.local/lib/python3.6/site-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/home/discord/.local/lib/python3.6/site-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/home/discord/.local/lib/python3.6/site-packages/flask/_compat.py", line 33, in reraise
raise value
File "/home/discord/.local/lib/python3.6/site-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/home/discord/.local/lib/python3.6/site-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functionsrule.endpoint
File "./decksite/cache.py", line 66, in decorated_function
response = make_response(f(*args, **kwargs))
File "./decksite/main.py", line 87, in card
return view.page()
File "./decksite/view.py", line 29, in page
return template.render_name('page', self)
File "./decksite/template.py", line 9, in render_name
return CachedRenderer(search_dirs=['decksite/templates']).render_name(template, *context)
File "/home/discord/.local/lib/python3.6/site-packages/pystache/renderer.py", line 378, in render_name
return self._render_string(template, *context, **kwargs)
File "/home/discord/.local/lib/python3.6/site-packages/pystache/renderer.py", line 402, in _render_string
return self._render_final(render_func, *context, **kwargs)
File "/home/discord/.local/lib/python3.6/site-packages/pystache/renderer.py", line 419, in _render_final
return render_func(engine, stack)
File "/home/discord/.local/lib/python3.6/site-packages/pystache/renderer.py", line 400, in 
render_func = lambda engine, stack: engine.render(template, stack)
File "./decksite/template.py", line 48, in render
return self.parsed_templates[template].render(self, context_stack)
File "/home/discord/.local/lib/python3.6/site-packages/pystache/parsed.py", line 47, in render
parts = list(map(get_unicode, self._parse_tree))
File "/home/discord/.local/lib/python3.6/site-packages/pystache/parsed.py", line 46, in get_unicode
return node.render(engine, context)
File "/home/discord/.local/lib/python3.6/site-packages/pystache/parser.py", line 152, in render
return engine.render(template, context)
File "./decksite/template.py", line 48, in render
return self.parsed_templates[template].render(self, context_stack)
File "/home/discord/.local/lib/python3.6/site-packages/pystache/parsed.py", line 47, in render
parts = list(map(get_unicode, self._parse_tree))
File "/home/discord/.local/lib/python3.6/site-packages/pystache/parsed.py", line 46, in get_unicode
return node.render(engine, context)
File "/home/discord/.local/lib/python3.6/site-packages/pystache/parser.py", line 152, in render
return engine.render(template, context)
File "./decksite/template.py", line 48, in render
return self.parsed_templates[template].render(self, context_stack)
File "/home/discord/.local/lib/python3.6/site-packages/pystache/parsed.py", line 47, in render
parts = list(map(get_unicode, self._parse_tree))
File "/home/discord/.local/lib/python3.6/site-packages/pystache/parsed.py", line 46, in get_unicode
return node.render(engine, context)
File "/home/discord/.local/lib/python3.6/site-packages/pystache/parser.py", line 121, in render
s = engine.fetch_string(context, self.key)
File "/home/discord/.local/lib/python3.6/site-packages/pystache/renderengine.py", line 105, in fetch_string
val = self.resolve_context(context, name)
File "/home/discord/.local/lib/python3.6/site-packages/pystache/renderer.py", line 317, in resolve_context
return context_get(stack, name)
File "/home/discord/.local/lib/python3.6/site-packages/pystache/renderengine.py", line 19, in context_get
return stack.get(name)
File "/home/discord/.local/lib/python3.6/site-packages/pystache/context.py", line 281, in get
result = self._get_simple(parts[0])
File "/home/discord/.local/lib/python3.6/site-packages/pystache/context.py", line 310, in _get_simple
result = _get_value(item, name)
File "/home/discord/.local/lib/python3.6/site-packages/pystache/context.py", line 73, in _get_value
return attr()
File "./decksite/view.py", line 305, in TT_HELP_TRANSLATE
return gettext("Help us translate the site into your language")
File "/home/discord/.local/lib/python3.6/site-packages/flask_babel/init.py", line 552, in gettext
t = get_translations()
File "/home/discord/.local/lib/python3.6/site-packages/flask_babel/init.py", line 227, in get_translations
[get_locale()],
File "/home/discord/.local/lib/python3.6/site-packages/flask_babel/init.py", line 261, in get_locale
locale = Locale.parse(rv)
File "/home/discord/.local/lib/python3.6/site-packages/babel/core.py", line 268, in parse
parts = parse_locale(identifier, sep=sep)
File "/home/discord/.local/lib/python3.6/site-packages/babel/core.py", line 1094, in parse_locale
raise ValueError('expected only letters, got %r' % lang)

[silasary]

Ohhhhh...

This is the definitely the result of a script-kiddie tool.

4294 was subtle enough I didn't immediately recognise it, but they're both attempts at SQL injection.

This is easy enough to fix, now that we know it's malicious input.

[bakert]

Another 25 of these last night trying to put somewhat-database-looking gibberish in. Silly.

[bakert]

expected only letters, got '554'

Reported on decksite by logged_out
Request Method: GET
Path: /?locale=554
Cookies: {}
Endpoint: home
View Args: {}
Person: logged_out
Referrer: None
Request Data: {}
Host: pennydreadfulmagic.com
Accept-Encoding: gzip
Cf-Ipcountry: US
X-Forwarded-For: 157.55.39.152, 162.158.146.126
Cf-Ray: 3fdf3c12bf043b38-YVR
X-Forwarded-Proto: https
Cf-Visitor: {"scheme":"https"}
Cache-Control: no-cache
Pragma: no-cache
Accept: /
From: bingbot(at)microsoft.com
User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
Cf-Connecting-Ip: 157.55.39.152
X-Forwarded-Host: pennydreadfulmagic.com
X-Forwarded-Server: pennydreadfulmagic.com
Connection: Keep-Alive--------------------------------------------------------------------------------
ValueError
Stack Trace:
File "/home/discord/.local/lib/python3.6/site-packages/flask/app.py", line 1997, in call
return self.wsgi_app(environ, start_response)
File "/home/discord/.local/lib/python3.6/site-packages/flask/app.py", line 1985, in wsgi_app
response = self.handle_exception(e)
File "/home/discord/.local/lib/python3.6/site-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/home/discord/.local/lib/python3.6/site-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/home/discord/.local/lib/python3.6/site-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/home/discord/.local/lib/python3.6/site-packages/flask/_compat.py", line 33, in reraise
raise value
File "/home/discord/.local/lib/python3.6/site-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/home/discord/.local/lib/python3.6/site-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functionsrule.endpoint
File "./decksite/cache.py", line 65, in decorated_function
response = make_response(f(*args, **kwargs))
File "./decksite/main.py", line 45, in home
view = Home(ns.load_news(max_items=10), ds.load_decks(limit='LIMIT 50'), cs.played_cards())
File "./decksite/views/home.py", line 19, in init
self.active_runs = ngettext('%(num)d active league run', '%(num)d active league runs', len(active_runs))
File "/home/discord/.local/lib/python3.6/site-packages/flask_babel/init.py", line 573, in ngettext
t = get_translations()
File "/home/discord/.local/lib/python3.6/site-packages/flask_babel/init.py", line 227, in get_translations
[get_locale()],
File "/home/discord/.local/lib/python3.6/site-packages/flask_babel/init.py", line 261, in get_locale
locale = Locale.parse(rv)
File "/home/discord/.local/lib/python3.6/site-packages/babel/core.py", line 268, in parse
parts = parse_locale(identifier, sep=sep)
File "/home/discord/.local/lib/python3.6/site-packages/babel/core.py", line 1094, in parse_locale
raise ValueError('expected only letters, got %r' % lang)

[silasary]

I should get around to patching this, I guess.