search

Pylons / pyramid

Pyramid - A Python web framework
https://trypyramid.com/
Other
3.97k stars 887 forks source link

When pyramid.debug_authorization is enabled, invalid Unicode HTTP request raises URLDecodeError #3736

Closed mckea closed 10 months ago

mckea commented 1 year ago

Defining an error view for URLDecodeError will handle HTTP requests containing invalid Unicode characters, but if pyramid.debug_authorization is enabled in the application config file, a URLDecodeError is still raised on this line:

https://github.com/Pylons/pyramid/blob/3739a7790ba92c34098df3d804f27a1d8429f9fe/src/pyramid/viewderivers.py#L366

To reproduce, define an error view for URLDecodeError:

from pyramid.exceptions import URLDecodeError
from pyramid.httpexceptions import HTTPBadRequest
from pyramid.security import NO_PERMISSION_REQUIRED

@view_config(                                                                    
    context=URLDecodeError,                                                      
    permission=NO_PERMISSION_REQUIRED                                            
)                                                                                
def url_decode_error_view(context, request):                                     
    return HTTPBadRequest()

In the application config file, set pyramid.debug_authorization = true

Make a request containing invalid unicode:

wget http://127.0.0.1:6543/%EF%BF

This will raise an exception and return a 500.

Repeating this with pyramid.debug_authorization = false will handle the exception properly and return a 400.

mmerickel commented 10 months ago

Thanks for reporting this - I've uncovered a couple bugs in the code related to this.

  1. I recommend that you use exception_view_config as there are some explicit optimizations in the code.
  2. Even if you did that, there were still some issues that I've fixed in #3741.