Handle bad xmlrpc data with BadRequest (#1244)

* Handle bad xmlrpc data with BadRequest helps ignore spam/pentest requests * Apply pre-commit code formatting * - add change log entry --------- Co-authored-by: pre-commit-ci-lite[bot] <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com> Co-authored-by: Jens Vagelpohl <[email protected]>
zopefoundation · Jan 14, 2025 · 1595981 · 1595981
1 parent 8c140a3
commit 1595981
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -10,6 +10,8 @@ https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst
 5.11.2 (unreleased)
 -------------------
 
+- Fix error messages from spam/pen test requests.
+
 - Fix a ``ResourceWarning`` emitted when uploading large files.
   (`#1242 <https://github.com/zopefoundation/Zope/issues/1242>`_)
 
@@ -24,6 +26,7 @@ https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst
 
 - Update to ``zope.interface = 7.2``.
 
+
 5.11.1 (2024-11-03)
 -------------------
 

diff --git a/src/ZPublisher/HTTPRequest.py b/src/ZPublisher/HTTPRequest.py
@@ -24,6 +24,7 @@
 from urllib.parse import parse_qsl
 from urllib.parse import unquote
 from urllib.parse import urlparse
+from xmlrpc.client import ResponseError
 
 from AccessControl.tainted import should_be_tainted as base_should_be_tainted
 from AccessControl.tainted import taint_string
@@ -872,7 +873,10 @@ def processInputs(
             if meth is not None:
                 raise BadRequest('method directive not supported for '
                                  'xmlrpc request')
-            meth, self.args = xmlrpc.parse_input(fs.value)
+            try:
+                meth, self.args = xmlrpc.parse_input(fs.value)
+            except ResponseError as e:
+                raise BadRequest(e)
             response = xmlrpc.response(response)
             other['RESPONSE'] = self.response = response
             self.maybe_webdav_client = 0