Repeated Unexpected Exception errors


#1

Hello,
Our indico instance at https://indico.bnl.gov is generating the following exception messages every 20 minutes or so:

2019-02-26 10:50:44,326  d2720344dee04779  indico.flask - ERROR errors.py:107 -- 'dict' object has no attribute 'startswith'

Traceback (most recent call last):
  File "/opt/indico/.venv/lib/python2.7/site-packages/flask/app.py", line 1612, in full_dispatch_request
    rv = self.dispatch_request()
  File "/opt/indico/.venv/lib/python2.7/site-packages/flask/app.py", line 1598, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/opt/indico/.venv/lib/python2.7/site-packages/indico/web/http_api/handlers.py", line 142, in handler
    oauth_valid, oauth_request = oauth.verify_request([scope])
  File "/opt/indico/.venv/lib/python2.7/site-packages/flask_oauthlib/provider/oauth2.py", line 483, in verify_request
    uri, http_method, body, headers, scopes
  File "/opt/indico/.venv/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/endpoints/base.py", line 64, in wrapper
    return f(endpoint, uri, *args, **kwargs)
  File "/opt/indico/.venv/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/endpoints/resource.py", line 69, in verify_request
    request.token_type = self.find_token_type(request)
  File "/opt/indico/.venv/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/endpoints/resource.py", line 86, in find_token_type
    for n, t in self.tokens.items()))
  File "/opt/indico/.venv/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/endpoints/resource.py", line 86, in <genexpr>
    for n, t in self.tokens.items()))
  File "/opt/indico/.venv/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/tokens.py", line 300, in estimate_type
    if request.headers.get('Authorization', '').startswith('Bearer'):
AttributeError: 'dict' object has no attribute 'startswith'

{u'data': {u'get': {},
           u'headers': {'Accept': u'*/*',
                        'Accept-Encoding': u'br, gzip, deflate',
                        'Accept-Language': u'en-us',
                        'Authorization': u'Basic ****',
                        'Cache-Control': u'max-age=259200',
                        'Connection': u'keep-alive',
                        'Content-Type': u'text/xml',
                        'Front-End-Https': u'On',
                        'Host': u'indico.bnl.gov',
                        'Prefer': u'return=minimal',
                        'Surrogate-Capability': u'rev-cache1.sec.bnl.local="Surrogate/1.0 ESI/1.0"',
                        'User-Agent': u'Spark/607 CFNetwork/976 Darwin/18.2.0 (x86_64)',
                        'Via': u'1.1 rev-cache1.sec.bnl.local (squid)',
                        'X-Forwarded-For': u'75.70.***.**'},
           u'json': None,
           u'post': {},
           u'url': {'path': u'categ/145.ics', u'prefix': u'export'}},
 u'endpoint': u'api.httpapi',
 u'id': 'd2720344dee04779',
 u'ip': '192.168.1.32',
 u'method': 'GET',
 u'referrer': None,
 u'rh': None,
 u'time': '2019-02-26T10:50:44.339490',
 u'url': u'https://indico.bnl.gov/export/categ/145.ics',
 u'user': None,
 u'user_agent': u'Spark/607 CFNetwork/976 Darwin/18.2.0 (x86_64)'}

We are running Indico version 2.1.4. Any suggestions on how to fix?

Thanks!


#2

It looks like whatever client accessed the ics endpoint tried to send HTTP Basic auth headers. But the API doesn’t use Basic Auth - it auther uses API key (+signature if enabled), or OAuth. The fact that we fail with an error if regular authorization headers are sent isn’t pretty (and we should fix it), but you can safely ignore that error (you might want to disable emails on errors).

Also, please contact welchsteven@icloud.com and inform him that some credentials of him got leaked in the data you posted (the base64-encoded authorization string). I’m removing this part from your post, but if bk**-****-****-**kk (without the *) is a password/token he’s using anywhere (e.g. his iCloud account), he needs to change it ASAP!

PS: Please update to 2.1.7. This is a straightforward update and contains mostly bugfixes.


#3

Okay thanks for your help. I’ve informed our user.