search

metashare / META-SHARE

Public repository of the META-SHARE software
http://www.meta-share.eu/
Other
23 stars 31 forks source link

[Django] ERROR (EXTERNAL IP): Internal Server Error: /stats/top/ #759

Closed mmatthiesencsc closed 8 years ago

mmatthiesencsc commented 9 years ago

Hi,

Sometimes Metashare crashes and throws an error like below. The root cause seems to be

/metashare/stats/views.py: def topstats (request): """ viewing statistics about the top LR and latest queries. """ topdata = [] Where I added: """somtimes geovisits does not get set below, resulting in an error. """ geovisits = [] In patch format. [root@metashare stats]# diff -Naur views.py views.py~ --- views.py 2015-09-14 10:57:53.403834158 +0300 +++ views.py~ 2013-01-22 16:47:21.000000000 +0200 @@ -256,8 +256,6 @@ def topstats (request): """ viewing statistics about the top LR and latest queries. """ topdata = [] - """somtimes geovisits does not get set below, resulting in an error. """ - geovisits = [] view = request.GET.get('view', 'topviewed') last = request.GET.get('last', '') limit = int(request.GET.get('limit', '10')) I am not too familiar with the ins and outs of this particular funtion, but defining geovisits as an empty list at least does not seem to have broken anything. Another question is, whether it should ever be empty in the first place. Below the error messsage with headers. I have more examples, if someone is interested. Feel free to incorporate the patch if you deem it useful. Cheers, Martin Traceback (most recent call last): File "/v/META-SHARE-3.0.1/lib/python2.7/site-packages/django/core/handlers/base.py", line 111, in get_response response = callback(request, callback_args, *callback_kwargs) File "/v/META-SHARE-3.0.1/metashare/stats/views.py", line 345, in topstats 'geovisits': geovisits, UnboundLocalError: local variable 'geovisits' referenced before assignment [u'klzzwxh:002000swhdny']}>, POST:, COOKIES:{}, META:{'DOCUMENT_ROOT': '/v/META-SHARE-3.0.1/metashare/', 'GATEWAY_INTERFACE': 'CGI/1.1', 'HTTP_ACCEPT': 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, /', 'HTTP_ACCEPT_CHARSET': 'iso-8859-1,utf-8;q=0.9,*;q=0.1', 'HTTP_ACCEPT_LANGUAGE': 'en', 'HTTP_CONNECTION': 'Close', 'HTTP_HOST': 'metashare.csc.fi', 'HTTP_PRAGMA': 'no-cache', 'HTTP_USER_AGENT': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)', 'PATH_INFO': u'/stats/top/', 'PATH_TRANSLATED': '/v/META-SHARE-3.0.1/metashare//stats/top/', 'QUERY_STRING': 'view=%00swhdny', 'REDIRECT_STATUS': '200', 'REDIRECT_URI': '/metashare.fcgi/stats/top/?view=%00swhdny', 'REMOTE_ADDR': '194.136.154.133', 'REMOTE_PORT': '35566', 'REQUEST_METHOD': 'GET', 'REQUEST_URI': '/stats/top/?view=%00swhdny', 'SCRIPT_FILENAME': '/v/META-SHARE-3.0.1/metashare/metashare.fcgi', 'SCRIPT_NAME': u'', 'SERVER_ADDR': '86.50.27.125', 'SERVER_NAME': 'metashare.csc.fi', 'SERVER_PORT': '80', 'SERVER_PROTOCOL': 'HTTP/1.1', 'SERVER_SOFTWARE': 'lighttpd', 'wsgi.errors': , 'wsgi.input': , 'wsgi.multiprocess': False, 'wsgi.multithread': True, 'wsgi.run_once': False, 'wsgi.url_scheme': 'http', 'wsgi.version': (1, 0)}>
zeehio commented 9 years ago

Good catch. This error it is very easy to reproduce by visiting:

http://your_metashare_node/stats/top/?view=random_thing

In this case you have posted, some malicious user (probably a bot, don't assume you are targeted) was trying to use view=%00swhdny hoping that the 00 byte in the request could crash the system, reveal critical information from the server or allow some door to open (I am not a security expert, I don't know much about these things). This is proof that there is (bad) people out there looking for exploits to use, and shows why upgrade meta-share dependencies to use supported versions is important. If a severe exploit appeared for django 1.3, there are no security upgrades to protect us from it, because django-1.3 is not supported anymore. There is no need to panic, but there is a real need to do something about it.

As for the patch, I believe that setting geovisits = [] will make the World map shown in the statistics page appear grey, without any visit from any country, which is totally fine in this case. The patch is already appended to the pull request #758.

Best,

mmatthiesencsc commented 9 years ago

Hi Sergio, Thanks for your feedback!

I tested your URL on http://metashare.csc.fi/stats/top/?view=random_thing and found that another variable is not initialised: visitstitle So I set a default there as well: visitstitle = "Unknown"

And now Metashare does not crash anymore. Case closed, I'd say. As for django 1.3, an upgrade there must be decided way above our pay grade. I hope Metashare gets some funding.