Project

General

Profile

Bug #41060

Updated by Ernesto Puerta over 4 years ago

Right now, a request like this (without @Content-Type: application/json@) results in 500 error + traceback: application/json@):
<pre><code class="bash">
# curl -s -k -X POST "https://172.20.0.2:11000/api/auth" -d "{\"username\":\"xxx\",\"password\":\"xxxx\"}"
{
"status":
"500 Internal Server Error",
"version":
"3.2.2",
"detail":
"The server encountered an unexpected condition which prevented it from fulfilling the request.",
"traceback":
"Traceback (most recent call last):\n File \"/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py\", line 656, in respond\n
response.body = self.handler()\n File \"/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py\", line 188, in __call__\n
self.body = self.oldhandler(*args, **kwargs)\n File \"/usr/lib/python2.7/site-packages/cherrypy/_cptools.py\", line 221, in wrap\n
return self.newhandler(innerfunc, *args, **kwargs)\n File \"/ceph/src/pybind/mgr/dashboard/services/exception.py\", line 88, in dashboard_exception_handler\n
return handler(*args, **kwargs)\n File \"/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py\", line 34, in __call__\n
return self.callable(*self.args, **self.kwargs)\n File \"/ceph/src/pybind/mgr/dashboard/controllers/__init__.py\", line 649, in inner\n
ret = func(*args, **kwargs)\n File \"/ceph/src/pybind/mgr/dashboard/controllers/__init__.py\", line 842, in wrapper\n
return func(*vpath, **params)\nTypeError: create() got an unexpected keyword argument '{\"username\":\"xxxx\",\"password\":\"xxxx\"}'\n"
}
</code></pre>

There are 2 issues here:
* Trying to parse an unsupperted content type can result in an exploit,
* The proper response according to HTTP 1.1 should be @416 - Unsupported Media Type@ (blame on client side) instead of @500 - Internal Server Error@.

Back