SIGSEGV raising when passing invalid utf-8 sequence to Authentication header with Python 3

[jun66j5]

When passing invalid utf-8 sequence to Authentication header with AuthBasicProvider wsgi and Python 3, SIGSEGV occurs in the apache child process.

[Mon Jul 22 18:35:36.799108 2024] [core:notice] [pid 3091685:tid 140098776566848] AH00052: child pid 3091689 exit signal Segmentation fault (11)

In wsgi_check_password(), the user and password are retrieved from remote client, however the returned value from Py_BuildValue("(Oss)", ...) is not checked.

diff --git a/src/server/mod_wsgi.c b/src/server/mod_wsgi.c
index 9bc07c672..50805e118 100644
--- a/src/server/mod_wsgi.c
+++ b/src/server/mod_wsgi.c
@@ -14889,8 +14889,13 @@ static authn_status wsgi_check_password(request_rec *r, const char *user,

                 Py_INCREF(object);
                 args = Py_BuildValue("(Oss)", vars, user, password);
-                result = PyObject_CallObject(object, args);
-                Py_DECREF(args);
+                if (args == NULL) {
+                    result = NULL;
+                }
+                else {
+                    result = PyObject_CallObject(object, args);
+                    Py_DECREF(args);
+                }
                 Py_DECREF(object);
                 Py_DECREF(vars);

After applying the above patch temporarily, the following errors are logged instead of SIGSEGV.

[Mon Jul 22 19:05:25.829812 2024] [wsgi:error] [pid 3093853:tid 140035076626176] [client 192.168.11.100:53020] mod_wsgi (pid=3093853): Exception occurred processing WSGI script '/dev/shm/modwsgi-ZGpDDX/auth.wsgi'.
[Mon Jul 22 19:05:25.833381 2024] [wsgi:error] [pid 3093853:tid 140035076626176] [client 192.168.11.100:53020] UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 0: invalid start byte

The same issue might exist at the following locations:

$ git grep 'Py_BuildValue.*"[^"]*s[^"]*"'
src/server/mod_wsgi.c:            args = Py_BuildValue("(s)", resource);
src/server/mod_wsgi.c:                args = Py_BuildValue("(Oss)", vars, user, password);
src/server/mod_wsgi.c:                args = Py_BuildValue("(Oss)", vars, user, realm);
src/server/mod_wsgi.c:                args = Py_BuildValue("(Os)", vars, r->user);
src/server/mod_wsgi.c:                args = Py_BuildValue("(Oss)", vars, r->user, password);
src/server/wsgi_logger.c:    args = Py_BuildValue("(OssOOO)", buffer, "utf-8", "replace",
src/server/wsgi_metrics.c:        args = Py_BuildValue("(s)", name);